Overview of security in OLAP
There are three types of permissions in OLAP:
- Global: Determine what actions can be performed by users of a given role.
- Object: Determine which objects are accessible to users of a given role.
- Data: Determine what data values are accessible to users of a given role.
Global permissions refer to OLAP objects and to repository objects. Global OLAP permissions are permissions to administer the database, to edit dimensions, to edit rules, to import and export values, to start the database, and to write values. Global repository permissions are permissions to administer the permissions that are assigned to roles, and to delete, edit, and view those permissions.
Global permissions are required in addition to object permissions. A role with permission to edit a cube, for example, must also have rights to that cube.
Object security applies to security on cubes. #_TABACC provides object security.
#_TABACC is not involved in dimension security as you cannot configure security for an entire dimension, just for its elements. If a user does not have permission to any element of the dimension, they get an error when querying the cube.
#_TABACC contains only the #__TAB__ and #__GRP__ dimensions.
There are four possible permissions for each cell in the cube:
- Default: Typically, the default is set to Write, but it can be configured to be None or Read.
- None: No access is allowed to the cube for the current role.
- Read: Members of the role can see and query the cube.
- Write: Members of the role can modify cell values and cell notes of the cube.
Dimension Access Control (DAC) cubes and Multidimensional Access Control (MDAC) cubes provide data security. Data security refers to permissions to read and modify data in the cells of cubes.
DAC is the most frequently used. MDAC is primarily used in planning and budgeting applications. But DAC and MDAC can be used together.