To assign database roles to users, right click the database and select manage roles… option. The advantage of creating database roles is that it enables the Administrator to restrict access of specific users to specific objects in the database. Even when a new role is created at the cube level, it is a role created at the database level as the same groups and users exist at all levels. A role can be directly created at the database level and applied to the cube. We will create budget analysts role in this section to understand how database roles are created. In the Analysis manager console tree right click the database and select Manage Roles.
The Database Role manager appears.
|
|
The Database Role manager is similar to the Cube role manager in appearance. It displays all the roles existing for the database. The All users role created in the Cube role manager is displayed as a database role in the Database role manager. In other words, database roles can be created in the Cube Role manager also. However, there are a number of differences in the role managers.
Click the New button to begin creating new database roles. Type in Budget Analyst in the Role name box and click Add to add a new group role. Select _Budget Analyst group and click Add. Note that the name appears in Add names text box and click Ok.
|
|
The user group appears in the database role manager dialog box under users and groups.
The dialog box displays a warning at the bottom that changes will propagate to cube roles based on this role. This is because the database role is global and can be used by one or more cubes within the database. The intrinsic membership role will be the same for all users of the role.
|
|
Note that the roles now appear in the Role manager.
Note that the Database Role dialog box contains a drop down list labeled Enforce on. The drop down list contains two values: Server and Client. When this is enforced on the client it restricts the values stored in the Client cache. The PivotTable Services will determine whether to allow values to be stored in the client cache for retrieval and use. When this is enforced on the server, the client side cache gets effectively disabled and no values will pass to the client over the network whether security is enforced on the client or not.
It is possible to make a duplicate copy of an existing role and make modifications on it. When making a duplicate copy, the Administrator will be prompted to give the role a new name. To make a duplicate click the duplicate button after selecting the role to be duplicated. A small dialog box appears prompting us to enter a new name as under:
|
|
Enter the name and click ok. The new role appears as an exact copy of the previous one with a new name. Now the role can be edited to make changes.
|
|
Click the ellipsis button in the Cubes & Mining models column. The dialog that appears is identical to the create a Database role dialog box. However, note that the caption is different and the name cannot be changed or entered.
|
|
Navigate to the Cubes tab and clear the sales cube check box and select Sales forecast check box. Click Ok
|
|
Existing roles can also be changed. Select the detailed reviewers role and click the Edit button. The same dialog boxes as above are displayed. Edit the role and click ok. A role can be deleted from within the database. Select the role to be deleted and Click the delete button. Confirm the deletion when asked to confirm.
When a database role is created it must be explicitly added to the cube. A default role gives unrestricted access to read any cell value, but gives the user no power to writeback to the cube.
