Roles and Permissions (Analysis Services)
APPLIES TO:SQL Server Analysis ServicesAzure Analysis Services
Analysis Services provides a role-based authorization model that grants access to operations, objects, and data. All users who access an Analysis Services instance or database must do so within the context of a role.
As an Analysis Services system administrator, you are in charge of granting membership to the server administrator role that conveys unrestricted access to operations on the server. This role has fixed permissions and cannot be customized. By default, members of the local Administrators group are automatically Analysis Services system administrators.
Non-administrative users who query or process data are granted access through database roles. Both system administrators and database administrators can create the roles that describe different levels of access within a given database, and then assign membership to every user who requires access. Each role has a customized set of permissions for accessing objects and operations within a particular database. You can assign permissions at these levels: database, interior objects such as cubes and dimensions (but not perspectives), and rows.
It is common practice to create roles and assign membership as separate operations. Often, the model designer adds roles during the design phase. This way, all role definitions are reflected in the project files that define the model. Role membership is typically rolled out later as the database moves into production, usually by database administrators who create scripts that can be developed, tested, and run as an independent operation.
All authorization is predicated on a valid Windows user identity. Analysis Services uses Windows authentication exclusively to authenticate user identities. Analysis Services provides no proprietary authentication method.See Authentication methodologies supported by Analysis Services.
Permissions are additive for each Windows user or group, across all roles in the database. If one role denies a user or group permission to perform certain tasks or view certain data, but another role grants this permission to that user or group, the user or group will have permission to perform the task or view the data.