Hello,
I have a question concerning security in SSAS 2005. I create two roles, let's say, role 1 and role 2. I have a user, let's Alice that belongs to the two roles.
These roles are set on one specific dimension of my cube. This dimension is organized as hierarchy: Sector, department, division, service and the last level which is called CC.
In role 1 Alice can see one department (let's say dept1) with all its divisions, services and CC.
In the role 2 Alice can see one specific division of dept1, let's say div1, with all its services, and CC.
When Alice browse the cube via Excel tool, there is a strange behavior, if she drag & drop the whole hierarchy of my dimension she can see dept1 with all its divisions, services and so on (role 1). It's the behavior I was expecting the roles are additive.
However if she only drag & drop CC attribute she can see only what is allowed by role 2, i.e., CC related to divi1. If she drag & drop service attribute she still see only what is allowed by role 2, i.e., services related to div1 only. Once she drag & drop department attribute she can see all divisions related to role1. It seems the roles are restrictive and at some stage they become additive???
Any ideas?
Thanks
Assia
I have a question concerning security in SSAS 2005. I create two roles, let's say, role 1 and role 2. I have a user, let's Alice that belongs to the two roles.
These roles are set on one specific dimension of my cube. This dimension is organized as hierarchy: Sector, department, division, service and the last level which is called CC.
In role 1 Alice can see one department (let's say dept1) with all its divisions, services and CC.
In the role 2 Alice can see one specific division of dept1, let's say div1, with all its services, and CC.
When Alice browse the cube via Excel tool, there is a strange behavior, if she drag & drop the whole hierarchy of my dimension she can see dept1 with all its divisions, services and so on (role 1). It's the behavior I was expecting the roles are additive.
However if she only drag & drop CC attribute she can see only what is allowed by role 2, i.e., CC related to divi1. If she drag & drop service attribute she still see only what is allowed by role 2, i.e., services related to div1 only. Once she drag & drop department attribute she can see all divisions related to role1. It seems the roles are restrictive and at some stage they become additive???
Any ideas?
Thanks
Assia