I have created a readonly role and I want to restrict all the users in this role to only a specfic value in the dimension. I go to the dimension Data tab and deselect all values except one values. However, after I process the role, the user can stll see all the values. When I open the role again, the value that I check has been again unchecked
Can someone please help to fix this
In order to have this changed applied, go to Advanced tab and Select Enable Visual Totals > Click OK.
You can also define your set in MDX and add it to Allowed Member set, instead of manually selecting members in the Basic tab, but it's very important to have that check box selected (Enable Visual Totals).
Please check again:
- in General tab - no checkbox should be selected
- Membership tab - add all users which should have this access
- Data Sources - Access None for all; Read Definition - no checkbox selected
- Cubes - Access Read only on the desired cube
- Cell Data - No setting
- Dimensions - Access Read on all
- Dimension Data:
- first restore the role - deselect everything or recreate the role
- Go directly in Advanced > under Dimension selection you should have a structure like:
DatabaseName Dimensions Cube 1 Dimensions Cube 2 Dimensions
- You need to select the Dimension on which you apply the filter under the Cube (not under the database)
- Select the desired Attribute on which you apply the filter
- Add Allowed member set
- Select Enable Visual Totals checkbox.
Also, you need to process Full.
It should work this way, otherwise something is wrong.
True, there's no need for processing. The changes must be deployed on the server.
In case you use Deployment wizard, on the Specify Options for Partitions and Roles step, select either Deploy Roles and Members OR Deploy Roles and Retain Members.
Also, please refer to the following URLs for permissions on SSAS:
Also, you might want to check that these "restricted" users are not in any other database role, and are not configured as ssas administrators.
Users can be in multiple roles and their access is a combination of the roles they belong to.
Hope that helps,
- Proposed as answer by willson yuanMicrosoft contingent staff Tuesday, March 21, 2017 1:52 AM
Thanks for your question.
I agree with Richard. If the user belongs to the server Administrators group or SSAS admin, then he/she can see all the members. Server administrators have administrative permissions on all databases on the server, so they can read, alter, and process any database on the SSAS instance.
MSDN Community Support
Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com
There is no such thing like Server Administrators group have administrative permissions on all databases on the server.
Do not confuse Local Administrators group with Analysis Services server administrators group. They are totally different groups.
In SSAS you can configure permissions on server level (Security) or on database level (Roles).
You can grant access and permissions to local users and groups (including Local Administrators) on an Analysis Services instance, but this does not happen automatically.