Overview of security in OLAP

OLAP provides extensive user security features. For example, you can restrict users from accessing specific cubes within a database, restrict users from seeing particular elements within a specified dimension, and to enable users to modify dimensions and cube rules.

There are three types of permissions in OLAP:

  • Global: Determine what actions can be performed by users of a given role.
  • Object: Determine which cubes are accessible to users of a given role.
  • Data: Determine what data values are accessible to users of a given role.

Global OLAP permissions are assigned to roles and include permissions to administer the database, to edit dimensions, to edit rules, to import and export values, and to write values.

The assignment of global OLAP permissions to application and data roles is done in EPM Administration.

Global permissions also require object permissions. A role with permission to edit cube rules, for example, must also have rights to access that cube.

OLAP synchronizes data and application roles into the OLAP roles dimension. This enables OLAP administrators to set object and data permissions for each role. Object security and data security relate to the ability to view and change data in cubes.

There are four types of object and data security:

  • Cube access control
  • Dimension access control (DAC)
  • Multidimensional access control (MDAC)
  • Relations access control (RAC)

All four types are configured with access control cubes. To access a cell, a user must have at least the Read permission in each of the applicable access control cubes. Cell changes can be applied only if all the access control cubes provide Write permission.

The cube access control cube is sometimes referred to as #_TABACC because that is the name of the cube. Its caption is Cube Permissions.

The Cube Permissions cube contains two dimensions: Cubes (#__TAB__) and Roles (#__GRP__).

The #__GRP__ dimension is system-generated and contains a list of application roles and data roles.

Note: If an application role and a data role have an identical name, only one element is generated for both roles. That is, only one set of permissions is maintained in the access cubes. Select Dashboards > OLAP > Manage Permissions to find #__GRP__ elements that belong to both roles.

There are four possible permissions for each cell in the Cube Permissions cube:

  • Default: The default permission is used if no permission is set explicitly. The default permission can be set to None, Read, or Write in the settings of the database.
  • None: Users of the role have no access to the cube.
  • Read: Users of the role can see and query the cube.
  • Write: Users of the role can modify cell values and cell notes of the cube.

Dimension Access Control (DAC) cubes, Multidimensional Access Control (MDAC) cubes, and Relations Access Control (RAC) cubes provide additional data security. Data security refers to permissions to read and modify data in the cells of cubes.

DAC cubes are the most frequently used, for example, as in the case of users who are assigned to specific data roles and, therefore, can access only certain companies. MDAC cubes are primarily used in planning and budgeting applications. They are used to restrict users to work only in a specific context, such as a specific period, budget version, and company. RAC cubes are used when certain cell combinations are never relevant and must not be used. An example is an invalid combination of a company and cost center.

All three access cube types can be used together.