by Admin9. January 2013 19:23In this video we are showing how the security of BAT is working:
The main points are:
- If the check box "use for security" is checked for BAT-user, then BAT-user will have associated MSAS-role named "bad_user_john" (for example). If the check box "use for security" is set for a BAT-role, then BAT-role will have associated MSAS-role named "bat_role_accountants" (for example).
- When you added a new cube link - do not forget to give permissions on a cube for your users or for roles, otherwise they will be unable to see reports.
- When report user opens a report, BAT-server starts the process OlapExecutor.exe which opens connection to MSAS. In this connection you will have "Roles=bat_user_john" or "Roles=bat_role_accountants" (dependently who is securable). If both are securable - you will have "Roles=bat_user_john,bat_role_accountants" and MSAS will behave in "or"-mode (it will union all permissions but NOT intersect them).
- You should think carefully who should be securable. If you need to have multiple users with the same permissions - create BAT-role and make it securable, and make those users non-securable. Then give permissions on a cube for BAT-role.
- We suggest you to not make user and its roles both securable at the same time, otherwise you will get a mess and will be unable who can access what data.
- Use functionality "Roles Backup" in admin module BEFORE deployment of a new version of a cube on the server (cause deployment operations may kill all existing MSAS-roles). So, you may backup all MSAS-roles before deployment, then deploy new version of OLAP cube, then restore MSAS-roles.
004c0e0b-3bf8-49f3-81bc-d04faae177ef|0|.0|96d5b379-7e1d-4dac-a6ba-1e50db561b04