查询多维数据集时未选择维度时,SSAS维度数据权限不适用于度量 [英] SSAS Dimension Data Permissions not applied to measures when the dimension is not selected when querying the cube
问题描述
我对SSAS还是很陌生,所以如果对我的问题有一个明显的答案,请原谅我-我今天进行了大量研究,但自己找不到答案.
I am quite new to SSAS, so please forgive me if there is an obvious answer to my question - I have done a lot of research today and cannot find the answer myself.
我正在尝试将维度数据安全性(以我创建的SSAS DB角色)应用于我的SSAS 2012多维数据集.本质上,我想做的是分配给我创建的角色的用户不应看到特定维度成员的任何数据.
I am trying to apply Dimension Data security (in a SSAS DB role that I have created) to my SSAS 2012 cube. Essentially, what I am trying to do is that users assigned to the role that I have created, should not be able to see any data for a specific dimension member.
因此,当我在SSDT(SQL Server数据工具或带有BI附加组件的Visual Studio)中编辑多维数据集时,我转到角色->打开角色->转到维度数据选项卡->选择下拉菜单中的维度"->取消选中不应允许角色用户看到的维度成员.
So, when I edit the cube in SSDT (SQL Server Data Tools or Visual Studio with BI add-on), I go to Roles --> open the role --> go to Dimension Data tab --> select the dimension in the drop-down --> Un-tick the dimension member(s) that the users in the role should not be allowed to see).
设置完成后,我将通过部署多维数据集来测试角色,然后在SSDT中打开多维数据集->转到浏览器"选项卡->单击更改用户"->选择角色我创建的.
Once this is set up, I test the role by deploying the cube, then in SSDT I open the cube --> go to the 'Browser' tab --> click on 'Change User' --> select the role that I have created.
我的测试结果是:
如果我选择了限制的维度和任何度量,则数据将正确显示,即仅显示我允许的维度成员,并正确显示度量的值每个维度成员. 但是,如果我不选择受限维度(例如,仅选择一项措施),则该措施的总数是不正确的,即,它似乎不排除为角色隐藏的维度成员.
If I select the dimension which I have restricted, and any of the measures, the data is displayed correctly, i.e. only the dimension members which I allowed are displayed with the values for the measure(s) displayed correctly for each dimension member. However, if I do not select the restricted dimension (e.g. select only one of the measures on its own), the total for the measure is incorrect, i.e. it does not appear to be excluding the dimension member(s) hidden for the role.
我在这里想念什么?
我在网上看到一些有关动态SSAS安全性"的帖子/博客,其中似乎涉及将单个Windows登录名映射到允许他们查看的事实行(这涉及在数据源中创建其他隐藏表),但是我无法理解为什么如果SSAS角色也应该这样做呢?我不需要在用户级别定义安全性-用户被分为活动目录组,因此我想将角色映射到相关的AD组,这也应该起作用,不是吗?
I have seen some posts / blogs online talking about 'Dynamic SSAS security' which seems to involve mapping individual Windows logons to the fact rows that they are allowed to see (which involves creating additional, hidden tables in the data source), but I can't get my head around why I would need to do that if the SSAS role should do that as well? I do not need to define security at the user level - users are grouped into active directory groups and so I want to map a role to the relevant AD group and that should work too, shouldn't it?
推荐答案
您必须选中高级"标签中的启用视觉总计"复选框.在我们的网站上查看有关此内容(以及其他SSAS身份验证事项)的整个教程: http://easyroles.com/2014/02/visual-totals- inssas-security/
You have to check 'enable visual totals' checkbox in the advanced tab. Take a look at the whole tutorial about this (and other SSAS authentication matters) on our website: http://easyroles.com/2014/02/visual-totals-in-ssas-security/
这篇关于查询多维数据集时未选择维度时,SSAS维度数据权限不适用于度量的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
