Dela via


Example 2—Explicitly Specifying a Denied Set

In this example, a database role has the dimension security settings that are shown in the following table.

Attribute

IsAllowed

AllowedSet

DeniedSet

ApplyDenied

VisualTotals

State

True

Oregon

True

False

City

True

True

False

Gender

True

True

False

The results of these dimension security settings are the following:

  • The Oregon member of the State attribute will not be visible to this database role. (Oregon has been specified in the denied set for the State attribute.)

  • None of the members of an attribute hierarchy that includes Oregon (in this case, the members of the City attribute) will be visible to this database role. (The ApplyDenied property is enabled.)

Reviewing the Result Set

Based on these dimension security settings for the role (and based on cube access to all cells), the following result set is returned from the cube when all members are queried.

All Level

State

City

Gender

Sales Amount

All Offices

27300

California

12900

San Jose

4200

Male

2000

Female

2200

San Francisco

 

4400

Male

2200

Female

2200

Los Angeles

 

4300

Male

2100

Female

2200

Washington

 

8700

Seattle

 

4500

Male

2200

Female

2300

Tacoma

 

4300

Male

2000

Female

2300

Notice that although the result set does not explicitly provide totals for Oregon, this information can still be deduced by a member of this database role. A member of this role can view the total sales for all offices and can view the total sales for both California and Washington. Therefore, a member of this database role would be able to infer the total sales for Oregon, even though that member is explicitly denied permission to see sales within Oregon. To prevent a member of this database role from being able to deduce the totals for Oregon, enable the VisualTotals property.