Cells Tab (Cube Role Dialog Box)
Use this tab to control the role's access to cells in the cube for which the role is defined.
Cell security is defined with policies, permissions, and rules.
The default policy is Unrestricted Read. For a write-enabled cube, you can select a policy of Unrestricted Read/Write. For any cube, you can select a policy of Advanced, which allows you to select the cells that can and cannot be accessed.
You select or define rules for each displayed permission only with an Advanced policy. With an Advanced policy, a cube always has a read permission and a read contingent permission. However, only write-enabled cubes have read/write permissions and may be updated by end users. (A virtual cube has a read/write permission if one or more of its component cubes is write-enabled.) For each permission, you can select from various rules, which are described later in this topic.
For more information about cell security, see Cell Security.
Options
Cell security policy
Select from the following policies:
- Unrestricted read
The role can view all cell values. This policy is the default.
- Unrestricted read/write
The role can view and update all cell values. This policy is available only for write-enabled cubes. It is available for virtual cubes only if one or more of its component cubes is write-enabled.
- Advanced
The role can view and update only the cell values you specify in the permissions and rules.
- Allow users to commit writeback changes
This option is available only for write-enabled cubes for which Cell security policy is Advanced. This option permits users to make actual changes to the writeback table when selected. If this option is not enabled, changes apply only to ad hoc analysis and are temporary.
Permission
View or set permissions. Permissions are used only if Cell security policy is Advanced. A cube role can have read, read contingent, or read/write permissions.
Option | Description |
---|---|
Read | Determines which cells the users in the role can view. Cube roles for all cubes have a read permission. |
Read contingent | Determines which cells the users in the role can view, subject to the following condition: if a cell is specified in this permission and derived from other cells, it is viewable only if all the other cells are viewable. The other cells are deemed viewable if they are included in the read permission or included in the read contingent permission but not derived from other cells. If a cell is specified in the read contingent permission and not derived from other cells, it is viewable.
The most common derived cells are for calculated members. For example, the calculated member Profit is derived from the measures Sales and Cost (Profit equals Sales minus Cost). If cells for Profit are specified in the read contingent permission, they are viewable only if cells for both Sales and Cost are viewable (that is, included in the read permission or included in the read contingent permission but not derived from other cells). If a cell is included in both the read and read contingent permissions, the read permission is enforced, but the read contingent permission is not. Cube roles for all cubes have a read contingent permission. |
Read/write | Determines which cells the users in the role can update. A cube role has a read/write permission only if the associated cube is write-enabled or the associated virtual cube has one or more write-enabled, component cubes. If you allow access to a cell in the read/write permission, it is viewable even if it is not accessible in the read permission or read contingent permission. In this case the cell is viewable as if it were accessible in the read permission. |
If Cell security policy is Advanced, for each displayed permission, select a rule.
Note Including derived cells in the read permission incurs the risk that end users might determine cell values they cannot view. For example, if Profit is included in the read permission, and cells for Cost are viewable, but cells for Sales are not, end users can determine Sales values by adding Profit and Cost values.
Rule
View or set rules. Rules are accessible only if Cell security policy is Advanced.
The following table describes the rules that are available for each permission.
Permission | Rule | Rule description |
---|---|---|
Read | Unrestricted | The role can view all cell values. This rule is the default. |
Fully Restricted | The role can view only the cell values specified in the read/write permission or read contingent permission, subject to its limitations described earlier in this topic. | |
Custom | You can specify the cell values that are viewable and not viewable in the Cube Cell Security dialog box. To access this dialog box, select Custom, and then in the Custom Settings column click the edit (...) button. | |
Read contingent | Unrestricted | The role can view all cell values that are not derived from other cells. If a cell value is derived from other cells, it is viewable if all the other cells are included in the read or read/write permission. |
Fully Restricted | The role can view only the cell values specified in the read permission or read/write permission. This rule is the default. | |
Custom | You can specify the cell values that are viewable and not viewable, subject to the limitations of the read contingent permission described earlier in this topic, in the Cube Cell Security dialog box. To access this dialog box, select Custom, and then in the Custom Settings column click the edit (...) button. | |
Read/write | Unrestricted | The role can update all cell values. |
Fully Restricted | The role cannot update cell values. | |
Custom | You can specify the cell values that are updatable and not updatable in the Cube Cell Security dialog box. To access this dialog box, select Custom, and then in the Custom Settings column click the edit (...) button. |
If the rules define a cell as not viewable, the cell itself is visible but its value is not.
Custom Settings
View descriptions of custom rules. For other rules, this column is blank.