Skip to main content

๐Ÿ” Access Control

After establishing a multidimensional cube model, not everyone can access all the data. To address this issue, access control permissions can be defined through roles, and roles can be assigned to users.

Roles for model access control are divided into two types:

  1. Standard Role (Single Role)
  2. Composite Role

Access Control Overviewโ€‹

The access control overview interface has two functions:

  • Role Management: A list of all roles in the semantic model, with the ability to delete roles.
  • User Management: A list of users assigned access control, allowing for adding, removing, and modifying role assignments for users.
    • Click the add user button to select users in the pop-up window to add them to the user list.
    • Modify role assignments for each user in the role column.

Click the New Role button on the right side of the navigation bar to create a new role.

Standard Roleโ€‹

A standard role (single role) restricts user permissions by controlling the dimensions and members of the multidimensional cube.

The functionality for creating a standard role is divided into the following sections:

  1. Role Overview
  2. Multidimensional Cube
  3. Dimensions & Members

Role Overviewโ€‹

In the role overview, you can set the default access permissions for the role and assign this role to users.

Default access options include:

  • All: Users can access all multidimensional cubes in the semantic model.
  • All Dimensions: Users can access all dimensions in the semantic model, but multidimensional cubes require explicit authorization.
  • None: Users cannot access anything unless explicitly authorized.

The user list can add or remove accounts to assign this role to users, consistent with assigning user permissions in the access control overview interface.

Multidimensional Cubeโ€‹

To explicitly set transaction permissions for the multidimensional cube for this role, you can drag the multidimensional cube from the model entity area to the role's multidimensional cube area, then click to select the multidimensional cube to set, and the page will navigate to the corresponding multidimensional cube permission setting interface.

Default access:

  • All:
  • Custom: Unless the role's default access is set to 'All Dimensions', dimensions will not inherit access permissions from this multidimensional cube.
  • None:

Dimensions & Membersโ€‹

For a single multidimensional cube, different dimensions (hierarchies) can be added to the role, and their permission control attributes can be configured.

  • Default access:
    • All: Users can access all dimension members.
    • Custom: Specific member sets can be explicitly restricted using the highest level, lowest level, or members.
    • None: Users cannot access this dimension.
  • Highest Level: Defines the highest level users can access, preventing users from seeing too much of the "big picture," such as viewing revenue accumulated to the Store Country level.
  • Lowest Level: Defines the lowest level users can access, preventing users from intruding into detailed information of individual customers.
  • Members: Specify the visibility of members individually.

Member authorization has order and inheritance capabilities, following these rules:

  1. Members inherit access permissions from parent members. If you cannot access California, you cannot see San Francisco.
  2. Authorization depends on order. If you have access to the USA but not Oregon, you will not see Oregon or Portland. But if you do not have access to Oregon and then have access to the USA, you can see everything.
  3. If any child members of a member are visible, the member is visible. Suppose you do not have access to the USA, then have access to California. You will be able to see the USA and California but not other states under the USA. However, the aggregate number for the USA will still reflect all its states.
  4. Member authorization does not override the top and bottom levels of hierarchy authorization. If you set the Highest Level equal to Customer [Province/City] and grant access to California, you will not see the USA.

Aggregation Strategyโ€‹

If the current role cannot see all child members of a member, the aggregation strategy determines how to calculate the aggregate number of the member. Under the default aggregation strategy All, the aggregate number of the member includes the values of invisible child members.

  • All: The total of the member includes all child members. This is the default strategy if no aggregation strategy attribute is specified.
  • Partial: The total of the member only includes accessible child nodes.
  • Hidden: If any child nodes are inaccessible, the total is hidden.

Composite Roleโ€‹

Composite roles combine multiple roles and have the sum of their authorizations.

If one or more constituent roles of a composite role can see a specific semantic model object, then the composite role can see it. Similarly, the aggregation strategy of a composite role relative to a specific hierarchy is the least restrictive of all role aggregation strategies.