Database, Cube, and Mining Model Roles
A role (also called a security role) defines a set of Microsoft® Windows NT® 4.0, Windows® 2000, or Windows XP user accounts and groups with the same access to Microsoft SQL Server™ 2000 Analysis Services data. Roles are used to implement end user security by controlling access to data on the Analysis server by users connected with client applications. Analysis Services includes three types of roles: database role, cube role, and mining model role.
A database role can be assigned to multiple cubes or mining models in the database, thereby granting users of the role access to these cubes or mining models. Such an assignment creates a cube role or a mining model role with the same name as the database role. A database role provides defaults for cube or mining model roles of the same name. Although in a database role you can specify the type and scope of access to dimension members for cubes, this access is not actually granted until the database role is assigned to a cube. Database roles are defined at the Analysis Services database level, and are maintained in Database Role Manager.
By default, a database role specifies only read access and does not limit the dimension members or cube cells visible to end users. After such a database role is assigned to a cube, users in the role can view the entire cube. However, in both database roles and cube roles, you can specify read/write access and limit the dimension members that are visible and updatable. In cube roles you can limit the cube cells that are visible and updatable. On the other hand, mining model roles provide read-only access to model content.
A cube role applies to a single cube. Defaults in a cube role are derived from the database role of the same name, but some of these defaults can be overridden in the cube role. A cube role contains additional options, such as cell security, that are not contained in a database role. Cube roles are created at the cube level when a database role is assigned to a cube, and they are maintained in Cube Role Manager.
In cube roles, you can indicate whether end users in the role can drill through to a cell's source data. This capability also requires that drillthrough is enabled for the cube or at least one of its partitions. For more information, see Specifying Drillthrough Options.
A mining model role applies to a single mining model. Default memberships in a mining model role are derived from the database role of the same name, but the default membership can be overridden in the mining model role. Mining model roles are created at the model level when a database role is assigned to a model, and they are maintained in Mining Model Role Manager.
An end user may be included in multiple roles on an Analysis server. In this case, the user has the combined access specified in these roles. If any one of the roles provides the user access to an object, the user has access to it. Exceptions are custom rules in dimension security. Not all combinations of custom rules from multiple roles can be resolved. For more information, see Multiple Dimension Custom Rules Applied to an End User.
The security enforcement provided by roles must be preceded by successful authentication of an end user as he or she connects to the Analysis server with a client application. If authentication is not successful, the user will not be able to access data on the Analysis server regardless of his or her membership in roles on that server and the definitions of those roles. For more information, see Server Security and Authentication.