Role-based security

Security is role-based. That is, permissions are defined in roles and then users, or groups of users, are assigned to those roles. There is thus no direct mapping of users or groups to permissions.

There are two types of roles: application roles and data roles.

Application roles enable you to define permissions on all three authorization levels (Global, Object, Data). Typically, application roles are used for business roles, such as Sales Manager, Controller, etc.

Data roles enable you to define permissions on the data level only.

Typically there are many more data roles than application roles. For example, an application role can be created for the business role, Sales Manager. All sales managers who are assigned to the Sales Manager role can view the same reports and dashboards and access the same data cubes. But each sales manager is responsible for a separate region and must only see the sales data for their region. To achieve this, you create a data role for each region. Thus, a user in the Sales Manager role, assigned to the Region 1 data role, can see only the data for Region 1. A second user, also in the Sales Manager role, but assigned to the Region 2 data role, can see only the data for Region 2.

Data roles can control access even at the level of element and cube cell.

Note: We recommend that you do not create application roles and data roles with identical names.