How to create a cube role, change its default values, and specify cell security

To create a cube role, change its default values, and specify cell security

In the Analysis Manager tree pane, right-click the cube for which you want to create a cube role, and then click Manage Roles.
In Cube Role Manager, unchecked roles are database roles without access to the cube. Checked roles are cube roles, which have access. Do one of the following:
- To create a new cube role by granting access to a database role, select the check box beside the database role. The remaining steps in this procedure are optional. To continue, select the cube role, and then click Edit.
- To use an existing cube role as the basis for the new cube role, select the existing cube role, and then click Duplicate. (This action also creates a database role with the same name as the new cube role.) In the Duplicate Role dialog box, specify a name for the new role that is 50 characters or less and begins with an alphabetical character, and then click OK. Select the new role, and then click Edit.
- To define the new cube role without values from another role, click New. (This action also creates a database role with the same name as the cube role.) In the Cube Role dialog box, type a value in the Role name box. You can enter a maximum of 50 characters; the name must begin with an alphabetical character.
(Optional.) In the Cube Role dialog box, type a value in the Description box.
In the Enforce on box, select one of the following:
- Server. Server enforcement is more secure but may slow performance. Queries are resolved entirely on the Analysis server or at the data source.
- Client. Client enforcement generally provides better performance but may allow users to gain unauthorized access to data on the client workstation. Queries might be resolved partially or completely at the client workstation.
In the Enable drillthrough check box, indicate whether the role can drill through to the source data for a cell. This ability also requires that you enable drillthrough for the cube or at least one of its partitions. For more information, see Specifying Drillthrough Options.
In the Membership tab, specify the users and groups in the role.
Note Changes in this tab propagate to the database role and cube roles with the same name as the edited cube role.

To begin adding users and groups, click Add, and then in the Add Users and Groups dialog box:
1. In the List Names From list, click the domain from which to select users and groups.
2. To display users under Names, click Show Users.
3. To display a group's members, click the group, and then click Members.
4. To add a user or group to the role, click the user or group, and then click Add.
5. After you have added the users and groups to the role, click OK.
To remove a user or group from the role, in the Membership tab, select the user or group, and then click Remove.

(Optional.) In the Dimensions tab, for each displayed permission, select a rule. (A read/write permission appears only for a write-enabled dimension.) The following table describes the rules that are available for each permission.

Permission	Rule	Rule description
Read	Unrestricted	The role can view all members. This rule is the default.
	Fully Restricted	The role cannot view members. When users in the role browse the cube, they do not see the dimension.
	Custom	Only the levels and members you specify in the Custom Dimension Security dialog box can be viewed. To access this dialog box, select Custom, and then in the Custom Settings column, click the edit (...) button. For more information, see Defining Custom Rules for Dimension Security.
Read/write	Unrestricted	The role can update all members. This rule is available only if the rule for the read permission is Unrestricted.
	Fully Restricted	The role cannot update members. This rule is the default and is available only if the rule for the read permission is Unrestricted or Fully Restricted.
	Custom	Only the levels and members you specify in the Custom Dimension Security dialog box can be updated. To access this dialog box, select Custom, and then in the Custom Settings column, click the edit (...) button. This rule is available only if the rule for the read permission is Unrestricted or Custom. For more information, see Defining Custom Rules for Dimension Security.

Changes to a read/write permission propagate to the database role of the same name. For more information about these permissions and rules, see Dimension Security.

(Optional.) In the Cells tab, in the Cell security policy box, select one of the following three policies:
- Unrestricted read
  The role can view all cell values. This policy is the default.
- Unrestricted read/write
  The role can view and update all cell values. This policy is available only if the cube you selected in Step 1 is write-enabled or if the virtual cube you selected in Step 1 has one or more write-enabled, component cubes.
- Advanced
  The role can view and update only the cell values you specify in the permissions and rules in the Cells tab.
- Allow users to commit writeback changes
  This option is available only for write-enabled cubes with an Advanced cell security policy. If this option is selected, changes are permanently recorded in the writeback table. If this option is not selected, changes apply only to ad hoc analysis and are temporary.

(Optional.) If in the preceding step you selected the Advanced policy, select a rule for each permission displayed in the Cells tab. (A read/write permission appears only if in Step 1 the cube you selected is write-enabled, or if the virtual cube you selected has one or more write-enabled, component cubes.) The following table describes the rules that are available for each permission.

Permission	Rule	Rule description
Read	Unrestricted	The role can view all cell values. This rule is the default.
	Fully Restricted	The role can view only the cell values specified in the read/write permission or read contingent permission, subject to its limitations. For more information about the limitations of the read contingent permission, see Cell Security.
	Custom	You can specify the cell values that are viewable and not viewable in the Cube Cell Security dialog box. To access this dialog box, select Custom, and then in the Custom Settings column, click the edit (...) button.
Read contingent	Unrestricted	The role can view all cell values that are not derived from other cells. If a cell value is derived from other cells, it is viewable if all the other cells are included in the read or read/write permission.
	Fully Restricted	The role can view only the cell values specified in the read permission or read/write permission. This rule is the default.
	Custom	You can specify the cell values that are viewable and not viewable, subject to the limitations of the read contingent permission. (For more information about the limitations of the read contingent permission, see Cell Security.) To do this, use the Cube Cell Security dialog box. To access this dialog box, select Custom, and then in the Custom Settings column, click the edit (...) button.
Read/write	Unrestricted	The role can update all cell values.
	Fully Restricted	The role cannot update cell values.
	Custom	You can specify the cell values that are updatable and not updatable in the Cube Cell Security dialog box. To access this dialog box, select Custom, and then in the Custom Settings column, click the edit (...) button.

For more information about these permissions and rules, see Cell Security.

In the Cube Role dialog box, click OK.

The read/write permission in the Dimensions tab is effective only as long as the dimension remains write-enabled. For more information, see Write-Enabled Dimensions.

The Unrestricted Read/Write policy and read/write permission in the Cells tab are effective only as long as the cube remains write-enabled. For more information, see Maintaining Write-Enabled Cubes and Writeback Data.

How to create a cube role, change its default values, and specify cell security

See Also