Access control

OLAP Server provides extensive access security. You can prevent users accessing specific cubes within a database and prevent them from seeing particular elements within a specified dimension. Or, you can prevent a user changing dimensions and cube rules.

Types of access permissions

There are two types of access permissions for OLAP Server databases:

  • General access permissions limit the ability of users to manipulate the database structure. To assign such permissions to users you must use the Repository.
  • Data access permissions limit the ability of users to see and change data in cubes.

Data access permissions

Data access permissions are assigned via administration cubes. These are two-dimensional cubes that map access permissions to roles and to OLAP Server cubes or dimension elements. There are three types of administration cubes.

OLAP Server provides a detailed security system for restricting access to data. You can assign Read, Write, None, Administrator or Default permissions to cubes or to specific areas of a cube.

Read access permissions allow a user to view cubes and cube data, but does not allow them to change cube data.

Write access permissions allow a user to view cubes and cube data, and to change it.

Note: For a user or a role to be assigned write access to a cube, they must also have Write permissions assigned under their General Access Permissions. You must use the Repository to assign general access permissions to users and roles. See the online help of the Repository for details about the role concept.

If a user’s access to a cube is None, they will not see that cube in any list of available cubes. If they try to access the cube from a report, OLAP Server will not return any values. If a user’s access to elements of a dimension is None, they cannot access those elements in any list of available elements. If they try to use these elements as arguments in a DBGET or DBGETC formula, the formula will not return any values.

Administrator access gives a user full permissions on the database.

Before a user is assigned data access permissions to a cube or cube area, that user has Default permissions. An administrator can determine what the Default permissions are for a specific cube (i.e. All, Read, Write or None) in Infor BI Repository Administration. In the General section of the Database Settings section of the database you can view the default access permissions to data.

Cube access control

Whenever you create an OLAP Server database, a cube called #_TABACC (Table Access Control) is generated. This is a two-dimensional cube containing a list of all the roles as one dimension and a list of all available cubes as the second dimension. In it you can assign Read, Write, None, Administrator or Default permissions for the different cubes to roles.

Assigning data access permissions to cubes.

Note: Only users with administrator permissions have access to this cube. You must use the Repository to assign general access permissions.

Dimension access control

For each dimension in a database, you can create a Dimension Access Control (DAC) cube. This is a two-dimensional cube containing a list of all the roles as one dimension and the selected dimension as the second dimension. In it you can assign Read, Write, None, Administrator or Default permissions for the different dimension elements to roles.

SeeAssigning data access permissions to single dimensions.

Note: Only users with administrator permissions can access this cube. You must use the Repository to assign general access permissions like administrator permissions.

Multidimensional access control

You can create a cube for multidimensional access control (Multi-DAC) to several dimensions in a database. One dimension contains a list of all the roles (read from the Repository). The Multi-DAC must also contain at least one dimension of the cube to which you want to control access. In it you can assign Read and Write permissions to cells.

SeeAssigning data access permissions to multiple dimensions.

Example

For example, the TOTSALES cube has 6 dimensions:

  • Years
  • Actvsbud
  • Regions
  • Products
  • Months
  • Measures

You create a Multi-DAC cube to control access to TOTSALES. It has these dimensions:

  • #_GRP_ (roles dimension)
  • Months
  • Regions

You enter Write permission to cell [View_Role, January, USA] in the Multi-DAC cube.

All members of the View_Role can write to Totsales cells with: [any element from Years, any element from Actvsbud, USA, any element from Products, January, any element from Measures].

Note: You can assign a cube several Multi-DACs, but you need to have write access to all of them.

Only users with administrator permissions can access this cube. You must use the repository to assign general access permissions like administrator permissions.