Data access permissions

You create application and data roles in the administration dashboards. There you define the global permissions for both types of roles. These roles are stored in the repository. The roles are then synchronized with the access cubes of the application.

Data access for OLAP involves two linked systems:

Data and application roles stored in the repository.
You create application and data roles in the administration dashboards. There you define the global permissions for both types of role. These roles are stored in the repository.
Data access permissions stored in access cubes.

Access permissions are assigned via cubes. These are specialized cubes that map the access permissions of roles to cubes or elements within dimensions. The access cube types are:
- Cube Access Control (#_TABACC)
- Dimension Access Control (DAC)
- Multidimensional Access Control (MDAC)

Caution:

If a user has Administer OLAP Database permission, no data access permissions are checked. This means the user has full access to all OLAP models and all data stored in the OLAP database.

The application and data access roles are shown on the #__GRP__ dimension of the access cube. Permissions, per element, cube, or cell, are stored as values within the access cube. #__GRP__ is displayed as Roles in the Manage OLAP Permissions dashboard.

In the OLAP Data Roles dashboard, you can create OLAP data roles for an application. The dashboard is similar to the Application Roles dashboard but offers different permissions. These include View OLAP, Edit Dimensions, and so on.

In the Manage OLAP Permissions dashboard, you can view and edit the permissions that are stored in an OLAP access cube.

You can assign READ, WRITE, NONE, or DEFAULT permission to entire cubes or to specific areas within a cube.

If a user is assigned to multiple roles, they will receive the highest permission defined by the roles.