icCube

Documentation

Schemas Permissions

Schemas permissions allows for granting access to data from the schema level down to a (cube) cell level.

Definitions until icCube 6.8

Starting with icCube 6.8, schemas permissions are defined using some sort of authorization language. Please refer to this page if you want to access the documentation related to earlier versions of icCube.

Authorization Language

Starting with icCube 6.8, schemas permissions are defined using some sort of authorization language. Existing icCube installations are migrated automatically. Note that this authorization language is the same language as the one used for the on-the-fly authorization (i.e., when the role is defined using data outside of icCube when the user logs in). The existing language has been extended a bit to fully support previous icCube's roles.

Authorization Language Definition

Permissions are defined using "lines"; each line is either granting access (+) or denying access (-) to the defined MDX entity(ies). Within a scope, the first '+' means all entities are DENIED first whereas the first '-' means all entities are AUTHORIZED first. See examples below.

MDX entity names are following the MDX standard (e.g., [Sales], [Time].[Calendar]).

Global Section

Define global authorizations that apply to all schemas and define the list of authorized schemas.


-- Defines the default Read/Write mode for all schemas (default: W)
-- Can be re-defined for any given schema later.

+schemaAccess [R|W]


-- Deny drillthrough for all the schemas

-drillthrough


-- Authorize/deny a schema; use a single line for each schema
-- (if not specified all schemas are authorized).

[+|-] schema schema-name


-- Deny access to all the schemas.

-schemaS

    

Schema Section

For each specified schema, grant or deny access to the schema entities.


-- The following line introduces a schema scope: following authorization lines
-- apply to this schema:

:schema schema-name


-- (Re)Define the schema access mode for this schema.

+schemaAccess [R|W]


-- Disable drillthrough for this schema.

-drillthrough 


-- Authorize/deny the reporting data-source.

[+|-] reportingDataSource data-source-name


-- Deny all reporting data-source for this schema.

-reportingDataSourceS


-- Authorize/deny the dimension.

[+|-] dimension name


-- Authorize/deny the hierarchy

[+|-] hierarchy name


-- Deny the level removing all descendant levels.

-level name


-- Allow for redefining the hierarchy default members ( e.g., [Geography].[GEO].[France] )

+defaultMember name


-- Authorize/deny the cube as well as defining its read/write access mode.

[+|-] cube [R|W] name


-- Authorize/deny the measure-group (aka. facts).

[+|-] measureGroup name


-- Authorize/deny the perspective.

[+|-] perspective perspective-name


-- Deny all perspective for this schema.

-perspectiveS


-- Allows for authorizing members/tuples.
--
--   D       : applies only to the dimension definition (e.g. denying a specific member)
--             the set-expression is a set of members only.
--
--   C       : cells/facts (measures will not access rows defined by the members (e.g.
--             removing the access to all data defined by a specific member)).
--
--   NO_DESC : does not apply to descendants.
--
--   Default Values : DC and DESC
--
--   The order of the sequence is relevant:
--       -FRANCE followed by +FRANCE == FRANCE authorized
--       +FRANCE followed by -FRANCE == FRANCE denied
--
--   Measures cannot be granted/denied individually; only applies to whole measure groups.
--   Calculated measures/members are not supported (note that perspectives can hide calculated measures/members).

[+|-] tuples [D|C|DC] [NO_DESC] set-expression

    

Examples

Example 1

An empty profile is granting full access to all the schemas.

 
    

Example 2

The following profile is denying access to all schemas.

-schemas
    

Example 3

The following profile is granting read access to all schemas but [Sales].

+schemaAccess R
-schema [Sales]
    

Example 4

The following profile is granting access to the schema [Sales] only and is removing all data from Switzerland. Note that the member [Switzerland] is still visible.

+schema [Sales]

:schema [Sales]
-tuples C [Geography].[Geo].[Switzerland]
    

Example 5

The following profile is granting access to the schema [Sales] only and is denying access to the member (and its data) Switzerland.

+schema [Sales]

:schema [Sales]
-tuples DC [Geography].[Geo].[Switzerland]