INF: Dimension Rules for Security Role Not Saved When Programmatically Set (293815)


The information in this article applies to:

  • Microsoft SQL Server 2000 Analysis Services
This article was previously published under Q293815

SUMMARY

When applying permission rules on an OLAP dimension for an OLAP role, the rules are not applied until the role is edited in either the Database Role Editor or the Cube Role Editor in the Analysis Manager, and the OK button is clicked.

MORE INFORMATION

This behavior occurs when you programmatically set role permission rules for dimensions and the permission expression used in the program is incomplete. The behavior may also occur when a private dimension is improperly referenced while defining rules for a role at the database level.

When role permission rules for dimensions are set from the Database Role Editor or the Cube Role Editor in Analysis Manager, any missing information is added by the Role Editor. This information is not added when role permission rules are added programmatically.

Steps to Reproduce Behavior

  1. Create a new Microsoft Visual Basic application, and add a reference to Microsoft Decision Support Objects.
  2. Remove the default form and add a module.
  3. Add the following code to the Visual Basic module:
    Const ServerName = "localhost" '"SERVER-NAME"
Const DatabaseName = "Foodmart 2000" '"OLAP-DATABASE-NAME"
Const UserList = "USERS" '"DOMAIN-NAME\USER-ID;DOMAIN-NAME\USER-ID"
Const CubeName = "HR" '"CUBE-NAME"
Sub Main()

    Dim dsoServer As DSO.Server
    Dim dsoRole As DSO.Role
    Dim dsoCubeRole As DSO.Role
    Dim dsoDB As DSO.Database
    Dim RoleName As String
    
    RoleName = "Fred"
    
    Set dsoServer = New DSO.Server
    'Connect to server.
    dsoServer.Connect ServerName
    
    'Connect to database.
    Set dsoDB = dsoServer.MDStores.Item(DatabaseName)
    
    If dsoDB.Roles.Find(RoleName) Then
       dsoDB.Roles.Remove (RoleName)
    End If
    
    Set dsoRole = dsoDB.Roles.AddNew(RoleName, sbclsRegular) ' 0) ' sbclsRegular
    
    'Set role description.
    dsoRole.Description = "Test through Visual Basic application"
        
    dsoRole.LockObject 1, "Creating Role"
        
    'Set Enforcement Location permission key.
    dsoRole.SetPermissions "EnforcementLocation", "Server"
                
    'Add group of users or single user to roles.
    
    dsoRole.UsersList = UserList
        
    Dim strAllowedSet As String
    Dim strDimensionSecurity As String
    
    'Set Permission on Dimensions Time.
    strAllowedSet = "[Time].[1997].[Q1]:[Time].[1998].[Q4]"
    
    strDimensionSecurity = "<MEMBERSECURITY IsVisible=""True"" VisualTotalsLowestLevel=""[Time].[Quarter]"">"
    strDimensionSecurity = strDimensionSecurity & "<PERMISSION Access=""Read"""
    strDimensionSecurity = strDimensionSecurity & " AllowedSet=""{" & strAllowedSet & "}"""
    strDimensionSecurity = strDimensionSecurity & " UpperLevel=""[Time].[Year]"""
    strDimensionSecurity = strDimensionSecurity & " LowerLevel=""[Time].[Quarter]"""
    strDimensionSecurity = strDimensionSecurity & " /></MEMBERSECURITY>"
        
    dsoRole.SetPermissions "Dimension:Time", strDimensionSecurity
    
    'Set Permission on Dimension Store.
    strAllowedSet = "[Store].[All Stores].[USA].[CA],[Store].[All Stores].[USA].[WA],[Store].[All Stores].[USA].[OR]"
    strDimensionSecurity = "<MEMBERSECURITY IsVisible=""True"" VisualTotalsLowestLevel=""[Store].[Store Country]"">"
    strDimensionSecurity = strDimensionSecurity & "<PERMISSION Access=""Read"""
    strDimensionSecurity = strDimensionSecurity & " AllowedSet=""{" & strAllowedSet & "}"""
    strDimensionSecurity = strDimensionSecurity & " UpperLevel=""[Store].[Store Country]"""
    strDimensionSecurity = strDimensionSecurity & " LowerLevel=""[Store].[Store State]"""
    strDimensionSecurity = strDimensionSecurity & " /></MEMBERSECURITY>"
        
    dsoRole.SetPermissions "Dimension:Store", strDimensionSecurity
        
    'Deny access to other dimensions.
    For i = 1 To dsoDB.Dimensions.Count
        If dsoDB.Dimensions(i).Name <> "Time" Then
           If dsoDB.Dimensions(i).Name <> "Store" Then
           ' Pay Type is a private dimension in the HR cube.
           ' Setting permissions at the Database Level
           ' so preface it with the name of the cube and ^.
              If dsoDB.Dimensions(i).Name <> "HR^Pay Type" Then
                 If dsoDB.Dimensions(i).Name <> "Store Type" Then
                    If dsoDB.Dimensions(i).Name <> "Measures" Then

                    ' Comment these two lines, because they contain an incomplete permission statement.
                      strDimensionSecurity = "<MEMBERSECURITY IsVisible=""False"">"
                      strDimensionSecurity = strDimensionSecurity & "</MEMBERSECURITY>" 


                    ' Uncomment these lines, containing a complete permission statement, to apply the security rules.
                      'strDimensionSecurity = "<MEMBERSECURITY IsVisible=""False"">"
                      'strDimensionSecurity = strDimensionSecurity & "<PERMISSION Access=""Read"" "
                      'strDimensionSecurity = strDimensionSecurity & "UpperLevel=""[" & Trim(dsoDB.Dimensions(i).Name) & "].Levels(0)"" "
                      'strDimensionSecurity = strDimensionSecurity & "LowerLevel=""[" & Trim(dsoDB.Dimensions(i).Name) & "].Levels(0)"" "
                      'strDimensionSecurity = strDimensionSecurity & "AllowedSet=""{[" & Trim(dsoDB.Dimensions(i).Name) & "].Levels(0).Members(0)}""/> "
                      'strDimensionSecurity = strDimensionSecurity & "</MEMBERSECURITY>" 

                      dsoRole.SetPermissions "Dimension:" & dsoDB.Dimensions(i).Name, strDimensionSecurity
                    End If
                 End If
              End If
           End If
        End If
    Next
    
    'Unlock the database.
    dsoRole.UnlockObject
    'Update the Role.
    dsoRole.Update
    
    Dim dsoCube As DSO.Cube
    Set dsoCube = dsoDB.MDStores(CubeName)

    dsoCube.LockObject 1, "Creating New Roles"
    Set dsoCubeRole = dsoCube.Roles.AddNew(RoleName)
           
    strDimensionSecurity = "<MEMBERSECURITY>"
    strDimensionSecurity = strDimensionSecurity & "<PERMISSION Access=""Read"""
    strDimensionSecurity = strDimensionSecurity & " AllowedSet=""{[Measures].[Org Salary],[Measures].[Count],[Measures].[Number of Employees]}"""
    strDimensionSecurity = strDimensionSecurity & " /></MEMBERSECURITY>"
    
    dsoCubeRole.SetPermissions "Dimension:Measures", strDimensionSecurity
    
    dsoCube.Update

    dsoCube.UnlockObject
    Set dsoCubeRole = Nothing
    Set dsoCube = Nothing
        
    dsoDB.Update
    dsoServer.Update
    dsoServer.UnlockAllObjects
    dsoServer.CloseServer
    Set dsoServer = Nothing
    Set dsoDB = Nothing
    Set dsoRole = Nothing
    
    MsgBox "Done"
End Sub
  4. Save, and then run the code. Open Analysis Manager and test the role.
  5. Comment out the lines that contain the incomplete permission statement and uncomment the lines that contain the complete permission statement.
  6. Save and re-run the code. Open Analysis Manager and test the role again.
Modification Type:MinorLast Reviewed:4/24/2003
Keywords:kbinfo KB293815 kbAudDeveloper
©2002 Microsoft Corporation. All rights reserved.