Cube Role Manager
Use this tool to maintain cube roles.
A cube role applies to only a single cube. A cube role is created when you assign a database role to a cube by selecting the database role in Cube Role Manager. This action grants the role's users access to the cube. The name and default values of a cube role are derived from the selected database role. Some of these defaults can be overridden in the cube role. In addition, cube roles contain options such as cell security that are not contained in database roles.
In Cube Role Manager, each row with a selected check box in the list displays a cube role. Users in these roles can access the cube displayed in the title bar of Cube Role Manager. These roles can be maintained within Cube Role Manager.
Each unchecked row displays a database role not assigned to the cube. Users in these roles cannot access the cube unless they are also in one or more of the selected cube roles. The database roles cannot be maintained within Cube Role Manager. (To maintain them, use Database Role Manager.)
To grant users in a database role access to the cube, select the check box beside the database role. This action creates a cube role with the same name as the database role and removes the database role from the list.
Caution Clearing the check box beside a role deletes the cube role and all its settings, including cell security settings.
To deny users in a cube role access to the cube, clear the check box beside the cube role. This action deletes the cube role and adds to the list the database role with the same name as the cube role.
The list is sorted with cube roles followed by database roles. Each category is sorted alphabetically by the role names in the Role column.
Cube Role Manager appears when in the Analysis Manager tree pane, you right-click a cube and then click Manage Roles.
Options
View whether a role can access the cube displayed in the title bar of Cube Role Manager. Only checked roles can access the cube.
Role
View the role names.
Enforce on
Set the location of security enforcement: Server or Client. Server enforcement is more secure but may slow performance. Client enforcement generally provides better performance but increases the risk of unauthorized access to data on the client workstation.
If Client is selected, queries might be resolved partially or completely at the client workstation.
If Server is selected, queries are resolved entirely on the Analysis server or at the data source. User-defined functions stored exclusively on client workstations cannot be used.
To change the value, click it, click the edit (...) button, and then in the Cube Role dialog box, in the Enforce on box, select the new value.
Membership
View the Microsoft® Windows NT® 4.0 or Windows® 2000 users and groups in each role.
To change the membership of a cube role, click the cell where the role intersects Membership, click the edit (...) button, and then use the Membership tab of the Cube Role dialog box.
Note Changes in this tab propagate to the database role and cube roles with the same name as the edited cube role.
Restricted Dimensions
View the cube's dimensions with a read permission or read/write permission of Fully Restricted or Custom.
To access the dimension security settings for a cube role, click the cell where the role intersects Restricted Dimensions, click the edit (...) button, and then use the Dimensions tab of the Cube Role dialog box.
Cells
View the cell security policy. A lock icon indicates that the cell security policy of the role is Advanced.
If the Cells column is blank, the cell security policy is Unrestricted Read.
To access the cell security settings for a cube role, click the cell where the role intersects Cells, click the edit (...) button, and then use the Cells tab of the Cube Role dialog box.
Drillthrough
Select whether end users in the role can drill through to a cell's source data. This ability also requires drillthrough to be enabled for the cube or at least one of its partitions. For more information, see Specifying Drillthrough Options.
To change the value, click it, click the edit (...) button, and then on the Options tab of the Cube Role dialog box, select or clear the Allow drillthrough check box.
Description
View the description of each role. To change a description, click it, click the edit (...) button, and then in the Cube Role dialog box, in the Description box, type a new description.
Show
Click to limit the roles displayed in the list. You can limit by a user name or group name in the roles.
- Roles containing users
- Select to limit by a user name or group name in the roles. Type the user name or group name, or type the first part of a name, and then click the magnifying glass button.
- Roles assigned to cubes
- Select to limit by a cube to which the roles are assigned. Type the cube name, and then click the magnifying glass button.
New
Click to display the Cube Role dialog box so you can create a new cube role. When you create a new cube role, a database role with the same name and specifications is also created.
Edit
Click to display the selected cube role in the Cube Role dialog box, where you can edit the cube role.
Duplicate
Click to display the Duplicate Role dialog box, where you can supply a name for a new cube role based on the selected cube role, and to display the Cube Role dialog box, where you can define the new cube role. When you create a new cube role in this way, a database role with the same name and specifications is also created.
Test Role
Click to simulate the selected role by displaying Cube Browser, where you can browse the cube as if you are a user in the role. Use this button to test read permissions and read contingent permissions but not read/write permissions.
To test an end user's inclusion in multiple roles, select the roles and then click Test Role.