Security in OLAP

You can use OLAP model security features to restrict users from accessing specific cubes within a database, restrict users from seeing particular elements within a specified dimension, and to prevent users from modifying dimensions and cube rules.

There are three types of permissions in OLAP:

  • Global: Determine what actions can be performed by users of a given role.
  • Object: Determine which objects are accessible to users of a given role.
  • Data: Determine what data values are accessible to users of a given role.

Global permissions refer to OLAP objects and to repository objects. Global OLAP permissions are permissions to administer the database, to edit dimensions, to edit rules, to import and export values, to start the database, and to write values. Global repository permissions are permissions to administer the permissions that are assigned to roles, and to delete, edit, and view those permissions.

Global permissions are required in addition to object permissions. A role with permission to edit a cube, for example, must also have rights to that cube.

Object security applies to security on cubes. #_TABACC provides object security.

#_TABACC is not involved in dimension security as you cannot configure security for an entire dimension, just for its elements. If a user does not have permission to any element of the dimension, they get an error when querying the cube.

#_TABACC contains only the #__TAB__ and #__GRP__ dimensions.

There are four possible permissions for each cell in the cube:

  • Default: Typically, the default is set to Write, but it can be configured to be None or Read.
    Note: Write refers only to permission to modify the definition of the cube. It does not refer to writing back data to the cube.
  • None: No access is allowed to the cube for the current role.
  • Read: Members of the role can see and query the cube.
  • Write: Members of the role can modify the cube definition.

Dimension Access Control (DAC) cubes and Multidimensional Access Control (MDAC) cubes provide data security. Data security refers to permissions to read and modify data in the cells of cubes.

DAC is the most frequently used. MDAC is primarily used in planning and budgeting applications. But DAC and MDAC can be used together.