Dimension Security
In a database role or cube role, you can implement dimension security to specify the dimension members that end users in the role can view as they browse cubes. You can also grant read/write access to a write-enabled dimension and specify the members that end users in the role can update.
Dimension security is optional. If you do not specify dimension security, end users see all dimension members in the cubes they are authorized to access. If a dimension is write-enabled, they cannot update members.
You can specify dimension security at both the database and cube levels. In a database role, for a shared dimension you can define specifications that apply to all of the database's cubes that include that dimension. These specifications provide defaults for the cube roles with the same name as the database role. In a cube role, you can override these specifications for a specific cube.
Note Unlike updates to cube cells, updates to dimension members are recorded directly in the source table. These updates can include additions, deletions, renames, and moves.
In a database role, dimension security is defined in the Dimensions tab of the Database Role dialog box. In a cube role, it is defined in the Dimensions tab of the Cube Role dialog box.
Permissions and Rules
You can set permissions and rules for groups you define in Microsoft® Windows NT® 4.0 or Windows® 2000 to manage dimension security. In addition, you can specify individual members and groups of members that can be updated and that cannot be updated. For more information, see Custom Rules in Dimension Security.
When you specify dimension security within a role, you can define permissions for each dimension.
| Permission | Description |
|---|---|
| Read | Determines which members are viewable. This permission affects the size of the visible cube because it limits the members that are displayed. |
| Read/write | Determines which members are updatable. You can define and grant this permission only if the dimension has been write-enabled. If you grant this permission and the dimension is later write-disabled, this permission is disabled, and end users cannot update the dimension's members. |
Members specified in the read/write permission are also viewable. Therefore, if the read/write permission includes members that are not in the read permission, the read/write permission also affects the size of the visible cube.
For the read permission, you can select one of the following rules.
| Rule | Description |
|---|---|
| Unrestricted | End users can view all members. This rule is the default. |
| Fully Restricted | End users cannot view members. When they browse a cube that includes the dimension, they do not see it. |
| Custom | This rule provides the most flexibility. Specify Top level, which indicates the topmost level that can be viewed. |
For the read/write permission, you can select one of the following rules.
| Rule | Description |
|---|---|
| Unrestricted | End users can update all members. This rule is available only if the read permission's rule is Unrestricted. |
| Fully Restricted | End users cannot update members. This rule is the default. This rule is available only if the read permission's rule is Unrestricted or Fully Restricted. |
| Custom | This rule provides the most flexibility. This rule is available only if the read permission's rule is Unrestricted or Custom. Specify Top level, which indicates the topmost dimension level that can be updated, or Bottom level, which indicates the bottommost dimension level that can be updated. |