The type and scope of access to a cube by end users in a cube role is determined by the settings in the cube role. An end user can access only those cubes that are assigned a role containing that end user's user name.
A database role provides defaults for the cube roles of the same name, but some of these defaults can be overridden in the cube roles. After a database role is created, it can be assigned to any cube (including virtual and linked cubes) in the database. This action grants the end users in the database role access to the cube and creates a cube role with the same name as the database role. Database roles are assigned to cubes in the Cubes tab of the Database Role dialog box or in Cube Role Manager.
If a cube role does not specify restrictions on dimension members, end users in the cube role can view all members in the associated cube. If a dimension has been write-enabled, and the cube role has been granted read/write access to the dimension, the end users can also update members in the dimension. However, a database role or cube role can specify that some members can be viewed and updated and others cannot. For more information, see Dimension Security.
Similarly, by default, end users in a cube role can view all cells in the associated cube. If the cube has been write-enabled, and the cube role has been granted read/write access to the cube, the end users can also update cube cells. However, a cube role can specify that some cells can be viewed and updated and others cannot. For more information, see Cell Security.
By default, end users in a cube role cannot drill through to any of the cube cells' source data. However, in a cube role you can grant this ability. If you grant this ability, you must enable drillthrough for the cube or for at least one of its partitions.