Permission Objects
Permissions are
associated with an object (cube, dimension, others) for a particular role. Permissions
specify what operations the member of that role can perform on that object.
The objects that can be associated with permissions are as follows:
-
Database
-
DataSource
-
Dimension
-
Cube
-
MiningStructure
-
MiningModel
Possible actions enabled
by permissions are presented in Table 4.
|
Action
|
Values
|
Explanation
|
|
Process
|
True or False
Default=False
|
If true, members can
process the object and any object that is contained in the object.
(Process permissions do
not apply to mining models. MiningModel permissions are always inherited from
MiningStructure.)
|
|
ReadDefinition
|
None, Basic, or Allowed
Default=None
|
Specifies whether
members can read the data definition (ASSL) associated with the object.
If Allowed, members can
read the ASSL associated with the object.
Basic and Allowed are inherited by
objects that are contained in the object. Allowed overrides Basic and None.
Allowed is required for
DISCOVER_XML_METADATA on an object. Basic is required to create linked
objects and local cubes.
|
|
Read
|
None or Allowed
Default=None
(Except for DimensionPermission,
where default=Allowed)
|
Specifies whether
members have Read access to schema rowsets and data content.
Allowed gives Read access on a database,
which allows a user to discover a database.
Allowed on a cube gives Read access in
schema rowsets and access to cube content (unless constrained by CellPermission
and CubeDimensionPermission).
Allowed on a dimension grants Read
permission on all attributes in the dimension (unless constrained by CubeDimensionPermission).
Read permission is used for static inheritance to the CubeDimensionPermission
only. None on a dimension hides the dimension and gives access to the default
member only for aggregatable attributes; an error is raised if the dimension
contains a non-aggregatable attribute.
Allowed on a MiningModelPermission
grants permissions to see objects in schema rowsets and to perform predict
joins.
Note Allowed is
required to read or write to any object in the database.
|
|
Write
|
None or Allowed
Default=None
|
Specifies whether
members have Write access to data of the parent object.
Access applies to Dimension,
Cube, and MiningModel subclasses. It does not apply to database MiningStructure
subclasses, which generates a validation error.
Allowed on a Dimension grants Write
permission on all attributes in the dimension.
Allowed on a Cube grants Write
permission on the cells of the cube for partitions defined as Type=Writeback.
Allowed on a MiningModel grants permission
to modify model content.
Allowed on a MiningStructure has no
specific meaning in Analysis Services.
Note: Write cannot be set to Allowed unless Read is also
set to Allowed.
|
|
Administer
Note: Only available in Database permissions.
|
True or false
Default=False
|
Specifies whether
members can administer a database.
True grants members access to all
objects in a database.
A member can have Administer
permissions for a specific database, but not for others.
|
Table 4:
Possible Actions Enabled by Permissions (Source: MSSQL Server 2008 Books
Online)
We will examine many of the
properties, and the associated settings, that we use in establishing and
maintaining security in Analysis Services in other articles of this subseries,
where we will gain hands-on exposure to working with role-based security (and
related subjects) in a practical environment.
Conclusion
In this
article, we introduced general concepts surrounding security in Analysis
Services 2008. We noted that our introduction to security is intended to serve
as a lead-in to more detailed exploration of various concepts surrounding security
in other, independent articles of this subseries that examine the
implementation and maintenance of security, as well as hands-on sessions
focused upon various tasks surrounding security.
After
exploring general concepts surrounding security, we performed a brief overview
of Role-based security in Analysis Services. We next examined the two general
types of Roles in Analysis Services. We then discussed Role and Role Member
Objects, focusing upon the Server Role the Database Role. Finally, we explored
Access Rights and Permissions, including Permissions Inheritance and Permissions
Objects.
About the Series ...
This
article is a member of the series Introduction
to MSSQL Server Analysis Services. The monthly column is designed to provide hands-on
application of the fundamentals of MS SQL Server Analysis Services (“Analysis
Services”), with each installment progressively presenting features and
techniques designed to meet specific real-world needs. For more information on
the series, please see my initial article, Creating Our First Cube.
»
See All Articles by Columnist William E. Pearson, III
» 
Comment and Contribute
