In icCube access rights allows to authorize and/or deny access to several resources : application features, schemas/cubes, dimensions, members, cells, etc... They are defined by roles. Users can then be attached one or more roles. Upon login, users can decide to use their default role (the first in their list of role) or specify a role using the syntax username/rolename in the login window.
Roles are configured using the monitoring/roles application in the WEB user interface.
It is possible to authorize and deny access to several applications (or features) of WEB interface. The same way, access to both the XMLA and Google visualization network interfaces can be restricted.
The highest level of authorization is at schema level. Schemas can authorized and denied. You can as well define there the default access mode for the cube: that is, whether the cube will be in read only of read/write (i.e., write-back enabled) mode. This settings can be overridden at cube level.
Note that when using cubes defined using header based definitions, you cannot authorize/deny dimensions/hierarchies/members and cells.
Dimension / Hierarchy / Members
Similarly to schemas, you can authorize/deny dimensions and hierarchies. Allowed/denied members are defined at hierarchy level using regular MDX (tuple/set) expressions. Note that you can redefine the default member of the hierarchy in case the original one is not allowed anymore. The option apply-to-facts allows you to filter as well the corresponding cells of the cube (doing this way you'll see a visual totals of the members).
Cubes / Measure Groups / Cells
Allowed/denied cells are defined at measure group levels. They're defined using both optional MDX expressions. If not allowed-cells are defined, then the list of authorized cells is "all cells" minus the denied cells/