Monday, November 22, 2010

Analysis Services Security: DENY does not override GRANT

Is the famous rule of thumb broken? I am sure that you all are aware the rule and you know that DENY always wins over GRANT. If you want to see an exception (or a situation) read one of my previous posts “Column GRANT overrides DENY TABLE, Avoiding with Common Criteria Compliance”.

This post discusses another situation, it is not with SQL Server Relational Engine, it is will SQL Server Analysis Services.

Analysis Services behaves bit differently. As you know, if an object of SQL Server database is denied explicitly, it is always denied even with an explicit grant. For example, if you are in a Role that grants SELECT on Table1 and in another role that denies SELECT on Table1, you will not be able to execute SELECT on Table1. Analysis Services authorizes on items differently. It unions all grants and authorizes. If you are in a Role that grants on Item1 and Item2 (Note that in Analysis Services, once items are granted, all other items are denied, no need to explicitly deny them as SQL Server database engine objects) and in another Role that grants Item2 and Item3, you are granted for Item1, Item2, and Item3.

Let me show you a sample on this. The below image shows a Role in Analysis Services Adventure Works DW 2008R2 database. This is how it is created;

  • Name: Business Users
  • Membership: Dinesh
  • Cubes: Adventure Works – Read
  • Dimension Data:
    • Product Dimension, Category – granted for Accessories and Bikes
    • Other Dimensions – granted for all

BusinessUsers

Second image shows another role in same database. Its properties are as follows;

  • Name: Coordinators
  • Membership: Dinesh
  • Cubes: Adventure Works – Read
  • Dimension Data:
    • Product Dimension, Category – granted for Bikes and Clothing
    • Other Dimensions – granted for all

coordinators

Business Users role denies for Clothing and Components. Coordinators role denies for Accessories and Components. When Dinesh sees data, he sees union of both; Accessories, Clothing, and Bikes. The reason for this is, Analysis Services uses all GRANTs from all Roles for connected user and then authorizes. That is why he sees Accessories and Clothing even though they are denied from each role. This is how he sees when Categories are loaded with Excel.
eXCEL

Note: This type of security cab be tested with Management Studio too. Start Cube Browser and click on Change User icon. The opened window allows you to set the context with Current User, Other User, or Roles.

roles

1 comment:

bateks said...

Sorry for my English.
How can I manage this restrictions (see below)?
F.e., we have two dimensions: Brands and Companies.
I need
1. My User must have access to the cube data restricted by only 1 member "XXX" of the dimension Brands (with no restrictions on the dim Companies).
2. My User must have access to the cube data, restricted by only 1 member "YYY" of the dimension Companies (with no restrictions on the dim Brands).
If I make this restrictions in a one role — then User can access the cube data on the "intersection", where Brand = XXX and Company = YYY simultaneously.
If I make this restrictions in two separate roles, then giving to my User membership in both, this User get access to the all cube data, with no restrictions at all.