Dimension Data not applying to role?


  • Hi,

    I have created a readonly role and I want to restrict all the users in this role to only a specfic value in the dimension. I go to the dimension Data tab and deselect all values except one values. However, after I process the role, the user can stll see all the values. When I open the role again, the value that I check has been again unchecked

    Can someone please help to fix this


    Aricrypta Private Limited

    Monday, March 20, 2017 8:42 AM

All replies

  • Hi Shah,

    In order to have this changed applied, go to Advanced tab and Select Enable Visual Totals > Click OK.

    That's all.

    You can also define your set in MDX and add it to Allowed Member set, instead of manually selecting members in the Basic tab, but it's very important to have that check box selected (Enable Visual Totals).



    Monday, March 20, 2017 11:57 AM
  • I have setup the dimension security exactly as you suggested but the user in this role can still see all customers.

    This user is not part of any other role

    Aricrypta Private Limited

    Monday, March 20, 2017 1:20 PM
  • Hi Shah,

    Please check again:

    - in General tab - no checkbox should be selected

    - Membership tab - add all users which should have this access

    - Data Sources - Access None for all; Read Definition - no checkbox selected

    - Cubes - Access Read only on the desired cube

    - Cell Data - No setting

    - Dimensions - Access Read on all

    - Dimension Data:

                 - first restore the role - deselect everything or recreate the role

                 - Go directly in Advanced > under Dimension selection you should have a structure like:

        Cube 1
        Cube 2

                 - You need to select the Dimension on which you apply the filter under the Cube (not under the database)

                 - Select the desired Attribute on which you apply the filter

                 - Add Allowed member set 

                 - Select Enable Visual Totals checkbox.

    Also, you need to process Full.

    It should work this way, otherwise something is wrong.



    Monday, March 20, 2017 2:42 PM
  • Hi,

    why do u want to make an full process?

    Monday, March 20, 2017 3:58 PM
  • Hi,

    True, there's no need for processing. The changes must be deployed on the server.

    In case you use Deployment wizard, on the Specify Options for Partitions and Roles step, select either Deploy Roles and Members OR Deploy Roles and Retain Members.

    Also, please refer to the following URLs for permissions on SSAS:


    Monday, March 20, 2017 7:34 PM
  • Also, you might want to check that these "restricted" users are not in any other database role, and are not configured as ssas administrators.

    Users can be in multiple roles and their access is a combination of the roles they belong to.

    Hope that helps,


    Monday, March 20, 2017 11:03 PM
  • Hi Shah,

    Thanks for your question.

    I agree with Richard. If the user belongs to the server Administrators group or SSAS admin, then he/she can see all the members. Server administrators have administrative permissions on all databases on the server, so they can read, alter, and process any database on the SSAS instance.

    Best Regards
    Willson Yuan
    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact

    Tuesday, March 21, 2017 1:54 AM
  • Hi,

    There is no such thing like Server Administrators group have administrative permissions on all databases on the server.

    Do not confuse Local Administrators group with Analysis Services server administrators group. They are totally different groups.

    In SSAS you can configure permissions on server level (Security) or on database level (Roles).

    You can grant access and permissions to local users and groups (including Local Administrators) on an Analysis Services instance, but this does not happen automatically.



    Tuesday, March 21, 2017 8:52 AM