The value of the Auto Synch Period property controls the frequency of Client server synchronization and defaults at 10,000 milliseconds. It is passed in each connection string to the Analysis services. This default can be overridden by end users and client applications and therefore, can vary from one end user to another. If the Auto Synch Period property is set to Null, synchronization is not constant. It is impacted by end users actions. For instance if changes are made to an end user’s access rights while he is connected and browsing a cube, the changes will not be effective till he disconnects from the cube. He cannot be forcibly disconnected from the cube during a query session after access has been obtained. However if the Auto Synch Period is set to a non-null value, the end user’s access rights are reviewed or synchronized at the specified intervals and any changes made in the interregnum have an immediate impact. For instance if the value is set to a nonzero value and the end users’ access to the cube has been removed, the end user will be immediately disconnected from the cube.

The Administrator performs the following functions with reference to end users.

1. He has to review and revise Windows NT 4.0 or Windows 2000 user accounts and groups in accordance with the various access requirements of the end users.
2. He has to create security roles and assign each role to the cubes or data mining models that the users in the role are permitted to access.
3. Define each role assigned to a cube or mining model. Each role's definition can vary for each cube or mining model to which it is assigned.

User Accounts and Groups in Microsoft SQL Server 2000 Analysis Services, is created after the user accounts and groups are created in the User Manager in Microsoft Windows NT 4.0 or in Computer management window in Windows 2000. The time required for role maintenance can be reduced if the Administrator has a clear charter or the memberships of groups before the roles are created in the Analysis Services. Where NTLM Security Support providers are used for authentication, all user accounts and groups must be in the same trusted domain if they are to be granted access rights to cubes. User accounts and groups in other domains will not be able to connect to the Analysis server in this case.

The Administrator assigns Database, cube and Mining model roles to end users. A role is defined as a set of user accounts and groups with the same access rights and permissions to Analysis Services data. Roles help the Administrator implement end user security by controlling access to data on the Analysis server. A database role can be assigned to multiple cubes or mining models in the database. In this instance the end users have access to the cubes or mining models contained in the database. The role provides defaults for cube or mining model roles of the same name. Once a database role is granted, the Administrator can specify the type and scope of access to dimension members for cubes. Database roles are defined at database level and are maintained by the Database role manager.

The database role, by default specifies a read only access. It also does not limit the dimension members or cube cells from being visible to end users. Once a user has a database role he can view the entire cube. However, the Administrator can specify a read/write access and limit the dimension members that are visible and updateable in both the database role and the cube role. We will see how this is done a little later in this tutorial. The mining model role confines the user to a read only access.

The Cube role is defined for single cubes. The default role is derived from the database role of the same name, but the Administrator can override these defaults in the cube role. The additional options in cube role settings enable the Administrator define cell security. Cube roles are created at the cube level after the database role is assigned to the cube. These roles are maintained in the Cube role manager. The Administrator can also indicate whether he wants to give the end user a right to drillthrough to the cell’s source data. To use this capability the cube or at least one partition of the cube should be write enabled.

Mining models roles are also defined for single models. If a database role has been assigned and the mining model carries the same name, the user derives a default mining role. This can, however, be overridden by the Administrator. Mining model roles are created when the database role is created and are maintained in the Mining Model Role Manager.

An end user may have multiple roles on an Analysis Server. Within the server the user has combined access to the objects specified in these roles. However, it is possible that there is a conflict of roles. The resolution of such conflicts is done through exceptions. Exceptions are custom rules in dimension security. It must be noted that all combinations of custom rules from multiple roles cannot be resolved.

First Page: Tutorial 63: MSAS - Introducing Analysis Services Security