Parent-Child Dimensions
Parent-child dimensions present a special case for a couple of reasons. First,
dimension data security with parent-child dimensions can't be applied on the
dimension key attribute. That's why the Employee attribute hierarchy doesn't
appear in the Attribute drop-down list when you attempt to set up dimension
data security on the Employees dimension.
Second, allowing access to a given member in a parent-child hierarchy automatically
grants access to the member's parents all the way to the root member(s). It
this weren't the case, the user wouldn't be able to navigate to the member.
To test this access, select the Kevin F. Brown member of the Employees attribute,
and notice that Role Designer automatically selects his managers David M. Bradley
and Ken J. Sanchez, as Figure 5
shows.
Steps to UDM Security
Setting and maintaining robust security policies is an essential task that every
UDM administrator has to master. A database role can enforce security policies
at different levels in the cube. Dimension data security restricts members of
a role from seeing dimension members and their associated data by defining appropriate
allowed and denied sets. Autoexists automatically propagates the security filter
to all attribute hierarchies within the same dimension.
Consider enabling Visual Total when you need the aggregated values to include
the contribution of the allowed members only and exclude denied members. Dimension
data security with parent-child dimensions is applied at the parent attribute,
and enabling a member enables access to its parents.
For links to more security resources, go to the "Analysis Services Security"
Web page (listed in Related Resources).