Model roles
Overview
Model roles provides a defined level of access to the cube for a defined group of users.
Membership
To view a model role's settings, click it on the model screen's Roles list.
When a model role is clicked, it is displayed in a separate tab.
This tab displays the following information.
Role name
Role description
MEMBERS subtab
All currently selected users or groups appear in the Role Members list.
The Users with access list shows all users assigned to the role, including individual users and all users in any selected group.
Note
All Groups. Groups defined within your company's environment, including in Active Directory. All Users. Individual users defined within your company's environment, including in Active Directory.
PERMISSIONS subtab
Allow Schema area - Displays both modules and individual (additional) pipelines that are accessible to assigned members of the current role.
Limit Data area - Displays any specified filtering within dimensions and allows you to determine what is included in the Dimension Tree for the members assigned to this role.
Note
A model role's PERMISSIONS subtab allows you to use permissions to control the data available to a model role's members. You can specify individual modules or pipelines within the model role (using the Allow Schema area). Once specified, only the data in these modules and pipelines will appear to users in the model role. In addition, you can further limit the available data based on specific dimensions, members, and named sets, if desired (using the Limit Data area).
Securing pipelines
Model roles provide a convenient way of creating and managing cube security for cubes built from data models. Model roles may be dynamically populated from Active Directory security groups, as well as groups in source systems. This means that once model roles using the appropriate groups are created in Data Hub, administrators need only manage the membership of the groups in the source system to control access to the cube.
Model roles are easily created and managed as part of a model. Each model role provides a defined level of access to the cube for a defined group of users. It consists of three parts:
Name plus an optional description.
Role members. A role member may be a user, an Active Directory security group, a group in a source system or a Data Hub user via Active Directory, Azure AD or ADFS authentication. An All option is also provided to allow all users with access to Data Hub to access the cube.
One or more permission settings. Access may be allowed to dimensions and measures associated with individual pipelines, and/or to all pipelines associated with a module. Access may be restricted to specific members within one or more dimensions. An All option is also provided to allow access to the entire cube.