Multidimensional access control cubes

You can create a cube for multidimensional access control (MDAC) for the combination of several dimensions in an OLAP cube. MDAC is a multidimensional cube. The application and data access roles are shown on the #__GRP__ dimension. The other dimensions are those for which the access is to be restricted.

Caution:

If a user has Administer OLAP Database permission, no data access permissions are checked.

Each cell in the MDAC cube sets the permissions for a part of the original cube. That sub cube contains those cells of the fact cube that are addressed by the elements in the restricted dimensions in the MDAC cube.

In this cube, you can assign READ, WRITE, or NONE permissions for a role and for each dimension element.

An MDAC provides security at the cell level.

An MDAC contains the #__GRP__ dimension, containing roles, and a subset of the dimensions in the cube that the MDAC controls. That is, it is not necessary to include all dimensions of a cube in an MDAC.

For example, you might have a cube that contains four dimensions: Time, Product, Region, and Version. A typical requirement would be to control the Period and Version dimension, and have the same rules apply to whichever region or product planning is being done for. This requirement could be fulfilled by an MDAC containing the #__GRP__ dimension and the Time and Version dimensions. This could be used to specify, for example, that, for whichever product or region is selected, the budget for the coming year is writable, but the budgets and actuals for previous years are read-only. In this example, security on the Product and Region dimensions, if required, could be controlled by a DAC. Thus, MDAC enables finer or more granular control. If such a level of control is not required for all dimensions in the cube, they need not be included in the MDAC.

This table shows actual and budget values for 2017, 2018, and 2019. The values for 2017 and 2018 are read-only. The actual value for 2019 has access set as NONE, the budget value for 2019 has WRITE access.


Year	Actual	Budget
2017	10*	15*
2018	12*	7*
2019	**	***

The access to each cell is indicated by asterisks:

* indicates the READ access.

** indicates no access.

*** indicates the WRITE access.

You can assign a cube not only one, but several MDACs. To have write access to a cell, each MDAC cube must grant you WRITE access.

Only users with administrator permission have access to the MDAC cube. You must use d/EPM Administration to assign global access permissions like administrator rights.

The permissions are represented in the MDAC cube cells by these numeric values:


Permission	Cell value
DEFAULT	Empty cell
NONE	0
READ	1
WRITE	2