How do I deny access to a whole dimension 1

[eo]

We have created an SSAS 2005 cube proof of concept, and spent a lot of time on the role (security) model, to test how flexible it is in terms of allowing and disallowing access to areas of the cube to AD user groups. We are pretty happy with the results, but one scenario remains unanswered. How to deny access to a dimension for a role.
In the dimension tab the designer can select either Read or Read/Write but not None (as on the Cube tab). Denying access to all members in the dimension data tab also does not seem to work.

Any ideas?

EO
Hertfordshire, England

 

[MDXer]

Not 100% sure you can prevent people from seeing the dimension they have access to. You can obviously prevent them from seeing the data based upon security settings. However if a user is unable to see or interact with the data how serious is it if the see the dimension exists?

Paul
---------------------------------------
Shoot Me! Shoot Me NOW!!!
- Daffy Duck

 

[MDXer]

one way to accomplish this would be to create a new cube that uses linked objects and brings in the measure groups and dimensions this group needs to see and omits the stuf they shouldn't. Since the Measuregroups and dimensions are linked the processing in the base cube will update the items in the linked cube. you could then deny access to the base cube for the specified group and push them to this cube. This isn't ideal but if removal of the dimension from viewing is the requirement I don't really see a way.

Paul
---------------------------------------
Shoot Me! Shoot Me NOW!!!
- Daffy Duck

 

[eo]

I am not sure I understand. We have a huge enterprise wide cube with many dimensions and measure groups. User access stretches from operational staff to support users. Off-course there will be cases where we would not want users to access a whole dimension. Restricting all the data in a cube stops the cube from working at all for the role at which security was set.
I am not insisting this this is indeed possible, but implying that if it is not, then I suggest a major flaw in SSAS 2005 as opposed to other cubes.

EO
Hertfordshire, England

 

[MDXer]

If you restrict access to the dimension the cube will work for the members where access is allowed. If you restrict access to all members except the ALL member or the default the cube will still work. When querying a cube if something is not specified in the cube it is assumed to be at the All or Default member. so by restricting access to everything but the all level prevents users from accessing data they are not supposed to access.

Now you would think partitions would be the way to go as I intially did but they are not. If a user has access to a partition they have access to the cube that is represented in that partition.

I think you may be falling into a trap where people believe you need 1 grand cube that suits everyones needs. The reality is that an accurate an effective cube is designed to answer a specific question or set of related questions for a specific audience. If you have data that all groups need to have access to then you can use linked measure groups, except in the case of a many to many relationship. By having cubes targeted at specific groups you have more controll of what is offered or even visable within that cube.

Paul
---------------------------------------
Shoot Me! Shoot Me NOW!!!
- Daffy Duck