Example 2—Explicitly Specifying a Denied Set

Artykuł
12/03/2008

In this example, a database role has the dimension security settings that are shown in the following table.

Attribute	IsAllowed	DeniedSet	ApplyDenied	VisualTotals
State	True	Oregon	True	False
City	True		True	False
Gender	True		True	False

The results of these dimension security settings are the following:

The Oregon member of the State attribute will not be visible to this database role. (Oregon has been specified in the denied set for the State attribute.)
None of the members of an attribute hierarchy that includes Oregon (in this case, the members of the City attribute) will be visible to this database role. (The ApplyDenied property is enabled.)

Reviewing the Result Set

Based on these dimension security settings for the role (and based on cube access to all cells), the following result set is returned from the cube when all members are queried.

All Level	State	City	Gender	Sales Amount
All Offices				27300
	California			12900
		San Jose		4200
			Male	2000
			Female	2200
		San Francisco		4400
			Male	2200
			Female	2200
		Los Angeles		4300
			Male	2100
			Female	2200
	Washington			8700
		Seattle		4500
			Male	2200
			Female	2300
		Tacoma		4300
			Male	2000
			Female	2300

Notice that although the result set does not explicitly provide totals for Oregon, this information can still be deduced by a member of this database role. A member of this role can view the total sales for all offices and can view the total sales for both California and Washington. Therefore, a member of this database role would be able to infer the total sales for Oregon, even though that member is explicitly denied permission to see sales within Oregon. To prevent a member of this database role from being able to deduce the totals for Oregon, enable the VisualTotals property.

Udostępnij za pośrednictwem

Example 2—Explicitly Specifying a Denied Set

Reviewing the Result Set

See Also

Tasks

Concepts

Help and Information

Dodatkowe zasoby