Granting User Access
User access to objects such as cubes, dimensions, and mining models within an instance of Microsoft SQL Server 2005 Analysis Services (SSAS) is granted through membership in one or more database roles. Analysis Services administrators create these database roles, grant read or read/write permissions on Analysis Services objects for these roles, and then add Microsoft Windows users and groups to the roles.
Members of the Analysis Services server role and members of a database role that has Full Control (Administrator) permissions have access to all data and metadata in the database and need no additional permissions to view specific objects. Moreover, members of the Analysis Services server role cannot be denied access to any object in any database, and members of an Analysis Services database role that has Full Control (Administrator) permissions within a database cannot be denied access to any object within that database. However, members of database roles that have permissions to process certain Analysis Services objects or to read their definitions have no right to access the data that is contained in those objects.
Granting Permissions to Database Roles
The permissions that Analysis Services administrators can grant to database roles include the following:
- Granting Access to Data Sources
- Granting Dimension Access
- Granting Custom Access to Dimension Data
- Granting Cube Access
- Granting Custom Access to Cell Data
- Granting Access to Mining Structures and Mining Models
Users do not require any permissions to the relational tables in the underlying relational database from which Analysis Services loads its data, and do not require any file level permissions on the computer on which the instance of Analysis Services is running.
Analysis Services determines the effective permissions for a specific Windows user or group by combining the permissions that are associated with each database role to which the user or group belongs. As a result, if one database role does not give a user or group permission to view a dimension, measure, or attribute, but a different database role does give that user or group permission, the user or group will have permission to view the object.