Dimension access control cubes

For each dimension in an OLAP database, you can create a Dimension Access Control (DAC) cube. A DAC is a two dimensional cube. The application and data access roles are shown on the #__GRP__ dimension. The second dimension is the dimension whose access is being controlled. By default DAC cubes are named with the name of the dimension being controlled, prefixed by #. In the cube you can assign READ, WRITE, NONE, or DEFAULT rights for a role and element. Specify the appropriate access level in the cell located at the intersection of element name and user group you want to administer.

Caution:

If a user has Administer OLAP Database permission, no data access permissions are checked.

DAC values affect the accessibility of cube data to members of the current role. The DAC values affect the data that is stored in all of the cubes that acc the dimension.

This table describes an example of the #CHANNEL access cube from the Samples OLAP database with five standard roles (BulkImport, Designer, ViewRole, AdministratorRole, MasterRole) and elements of the CHANNEL dimension. All roles except ViewRole have default permissions for all channels. ViewRole has Read permissions for Indirect Sales and NONE permission for Direct Sales. Samples can be enabled only in on-premises environments.


#CHANNEL
Channel	AdministratorRole	BulkImport	Designer	MasterRole	ViewRole
Indirect Sales	Default	Default	Default	Default	Read
Direct Sales	Default	Default	Default	Default	None

The permissions are represented in the DAC cube cells by these numeric values:


Permission	Cell value
DEFAULT	Empty cell
NONE	0
READ	1
WRITE	2
NONE, to be passed	8
READ, to be passed	9
WRITE, to be passed	10
NONE, inherited	16
READ, inherited	17
WRITE, inherited	18

The to be passed value can be specified for consolidated elements. It passes the same value to all descendants of an element. For example, a Period dimension with Month, Quarter, Year levels, Read, to be passed permission can be specified for the year 2018. It is passed to all quarters and months under the selected year. to be passed permission is automatically assigned to any new elements that are created under selected consolidated element at a later stages. For example, new products under a selected product group or new divisions under a selected department.

In order to import security permissions, corresponding values (0,1,2,8,9,10) must be loaded to access cubes.

Permissions that should be passed are higher by 8 than the permission itself. For example, READ, to be passed is 9 which is 1 + 8.

Inherited permissions are higher by 16 than the permission itself. For example, WRITE, inherited is 18 which is 2 + 16. The inherited permissions are automatically created by the OLAP database. They cannot be written.