Object and data access permissions

You create application and data roles in the administration dashboards. There you assign the global permissions to both types of roles. These roles are stored in the repository. The roles are then synchronized with the access cubes of the application.

Data access for OLAP involves two linked systems:

Data and application roles stored in the repository.
You create application and data roles in the administration dashboards. There you define the global permissions for both types of role. These roles are stored in the repository.
Object and data access permissions stored in access cubes.
Access permissions are assigned via cubes. These are specialized cubes that map the access permissions of roles to cubes or elements within dimensions. The access cube types are:
- Cube Access Control (#_TABACC)
- Dimension Access Control (DAC)
- Multidimensional Access Control (MDAC)
- Relations Access Control (RAC)

Caution:

If a user has Administer OLAP Database permission, no data access permissions are checked. This means the user has full access to all OLAP models and all data stored in the OLAP database.

The application and data roles are shown on the Role dimension ( #__GRP__ ) of the access cube. Permissions per element, cube, or cell, are stored as values within the access cube.

In the OLAP Data Roles dashboard, you can create OLAP data roles for an application. The dashboard is similar to the Application Roles dashboard but offers different permissions. These include View OLAP, Edit Dimensions, and so on.

In the Manage OLAP Permissions dashboard, you can view and edit the permissions that are stored in an OLAP access cube.

You can assign READ, WRITE, NONE, or DEFAULT permissions to entire cubes, to dimension elements, or to cells within a cube.

If a user is assigned to multiple roles, they will receive the highest permission defined by the combination of roles and permissions in the access cube.