Skip to main content

Secure your Semantic Layer

Add a Model Role

Create a Model Role

Create a new model role using the + Role button in the Roles list on the model tab.

  1. Click the + Roles button. The New Role tab appears, and the MEMBERS subtab is selected by default.

  2. Name the role, replacing the default New Role text. Optional:

    1. Add a description in the Description text box. This description will appear in the Roles list on the model tab.

    2. To allow full access to the model role, click the All check box near the top of the subtab.

      Note

      If this option is selected, proceed to Step 8.

  3. From the New member drop-down list, select the group provider type.

  4. In the Enter user name or group name text box, type the name of the item you want to add and select it from the list that dynamically appears.

    Note

    You cannot create custom group providers.

    1. The following group providers are available:

      1. All Groups - Groups defined within your company's environment, including in Active Directory.

      2. All Users - Individual users defined within your company's environment, including in Active Directory.

      3. Data Hub Groups - A built-in list of groups based on Data Hub usage.

      4. Data Hub Users - Individual users with access to the Data Hub application.

  5. Click Refresh to populate the Userswith access list, based on the entries in the Role Members list. All users in this list will be included in the model role. All individual users found within the group are listed.

  6. Review the Userswith access list to verify that the desired individual user or group of users has been added.

    Note

    Use the filter options at the top of the list to reduce the number of displayed entries in the list, if large numbers of entries are present.

  7. Repeat the process until all desired users or groups appear in the Role Members list, and the correct individual users or users within a group appear in the Users with access list.

  8. Click the PERMISSIONS subtab, and configure the model role's permissions.

  9. Use the Publish Roles button in the Properties pane to immediately push the changes or alternately, process and publish the changes.

  10. Once the changes are published, click the Show Current Role button in the Properties panel to filter the Dimension Tree.

  11. Click the same button (now labeled Show All) to redisplay all dimensions and measure groups.

    Note

    • This preview only appears when the model role's tab is viewed. Switching to another tab returns the dimension tree display to whatever is allowed for the logged-in user.

    • For the preview to work, the model server used by the model must have the Enable cube security check box selected.

  12. Click Save and Close.

Add additional users/groups to a model role

You can add additional users or groups to an existing model role at any time.

  1. From the Roles list on the model's tab, click the model role you want to edit.

  2. From the ROLE MEMBERS subtab, add additional users or groups.

  3. Locate the user or group you want to add using the New member drop-down and the Enteruser or group name text box.

  4. Select the user or group.

    1. Click Refresh to update the list.

    2. Review the Users with access list to verify that the new user/group has been added.

  5. Update model role permissions from the PERMISSIONS subtab if necessary.

  6. Use the Publish Roles button to push the model role changes.

  7. Click Save and Close.

Configure dynamic security

Dynamic cube security is the ability to use the currently logged-on user's identity to control which parts of the cube are displayed in analyses and other resources.

The dynamic security feature is configured using a named set, the Current User Member function, and a data model's roles.

Note

When testing the behavior of an analysis, you may either:

  • Log into Data Hub using the user's credentials in an incognito window (Chrome), InPrivate browsing (Internet Explorer), or Private Browsing (Firefox), or use a different computer.

  • Use the Run As feature in Data Hub to temporarily view the application as that user.

  1. Log into Data Hub as a System Administrator.

  2. Make sure the cube is appropriately structured with the following two prerequisites:

    1. The pipeline must contain a User Name column (each user's canonical name).

    2. The pipeline must be related to one or more other pipelines in the model.

  3. Create a named set that contains the Current User Member function on the Drag sets here placeholder.

    1. Within the Current User Member function's box, specify where the list of users is in the cube by dragging a hierarchy level containing them to the Level placeholder.

    2. Select the appropriate value for the Current User Field according to how the users are identified in the Level placeholder. Choose from:

      1. CurrentUserDisplayName (for example John Muir),

      2. CurrentUserName (canonical name ‒ for example contoso\john), or

      3. CurrentUserEmail (for example john@contoso.com).

    3. Click Save.

  4. Add a new role :

    1. On the MEMBERS tab, in the Role Members section, click the All check box, or add users or groups to define which users have the role.

    2. On the PERMISSIONS tab, in the Limit Data section, add the dimension you wish to filter by the currently logged-in user.

      1. Check the Filter Measures check box.

      2. Drag the named set you created in the previous set from the RESOURCE EXPLORER to the Limit dimension to the column.

    3. Click Save.

  5. In the Role panel of the role you just created, click Publish Roles to add the role changes.

  6. Test dynamic security:

    1. Create an analysis with a suitable measure on the Columns placeholder and the same level you used on the Rows placeholder.

    2. Use the Run As feature to run as one of the users in the list.

    3. Refresh the analysis.

    4. Repeat the process to see the display for other users.

Run As feature

This feature allows you to test the cube security settings for a specific user. The dimension tree is also filtered to display just the measures and dimensions from the cube that the user is permitted to access.

  1. Click the Settings button on the Utility Toolbar.

  2. In the User group, click the Run As link.

  3. In the Enter user name tag control, begin typing the user name that you want to test. The list of available users is dynamically updated as you type.

  4. Click the correct user name.

  5. Click Run as.

  6. Verify that your account name and the selected user name appear in the Utility Toolbar.

  7. Check the data displayed in any relevant resources to determine if the user's cube security settings are working as expected.

    Note

    The Settings tab remains unaltered and will continue to show all of the options available to the original administrator who accessed the Run As feature.

  8. Once the user's cube security settings are verified, you can revert to the security settings associated with your account.

    1. Return to the Settings tab.

    2. Click the Run As link again.

    3. Click the Reset button.

    4. Verify that only your account name appears in the Utility Toolbar.