MicroStrategy ONE
Maintaining data access security
Reports that connect to Intelligent Cubes adhere to many of the same standards of data access security as the rest of your MicroStrategy project. You can control users' access to data with security filters. For more information on security filters, see the System Administration Help.
User and group security filters are applied automatically on reports that connect to an Intelligent Cube, as shown below:
This approach allows a single Intelligent Cube to be used by multiple security filters, rather than having to create separate Intelligent Cubes for each security filter. By using a single Intelligent Cube to support all the security filters for a project, data access security is implemented automatically with minimal burden on Intelligence Server memory.
However, there are some differences in security filter resolution for reports that connect to Intelligent Cubes as compared to reports that directly access the data warehouse.
Security filter resolution for reports connected to Intelligent Cubes
Security filter resolution for reports that connect to Intelligent Cubes differs as compared to reports that directly access the data warehouse. These differences relate to what attributes are on a user's security filter, and how these relate to the attributes and fact entry levels of metrics available in the Intelligent Cube used for the report.
If all attributes in a user's security filter are in the Intelligent Cube that is used for the report, then security filters can be resolved using the standard process. However, if some of the attributes in a user's security filter are not in the Intelligent Cube used for the report, security filter resolution can differ from the standard process.
While this scenario is uncommon, it can cause users of reports that access Intelligent Cubes to experience one of the following results:
-
No data is returned for the report.
This could also be caused by the user creating a view filter that is too restrictive, or by the user's normal security filter resolution.
-
A metric or metrics are displayed with no data returned for the metric.
Another possible cause of metrics not properly returning data on reports connected to Intelligent Cubes is the use of dynamic aggregation (see Dynamic Aggregation). However, when this is caused by dynamic aggregation, null values are displayed for the metric rather than not displaying any information at all. The image below shows the difference between security filter resolution and dynamic aggregation as the cause for metrics not displaying any data.
By default, null values are represented by dashes (--) on reports. For information on changing the display of null values, see Changing the display of null values.
If a user is experiencing one of the two scenarios listed above due to security filter resolution, the following resolutions can be considered:
| Resolution | Pros | Cons |
|
The user continues to use the report that accesses the Intelligent Cube. |
Data access security is maintained. No additional resources are needed to modify the Intelligent Cube or to create a new report. |
Some data that may be available to the user by directly querying a data source may not be available in the report that accessed an Intelligent Cube. |
|
The user creates or views a report with the same definition that directly queries a data source rather than accessing an Intelligent Cube. |
The user is able to verify the full results that can be returned for such a report. |
A new report that directly queries a data source must be created. The new report cannot take advantage of the improved query performance of accessing an Intelligent Cube. |
|
Add the attributes used in a user's security filter to the Intelligent Cube and publish the updated Intelligent Cube. |
The security filter resolution for the user can use the standard process and return the same data as if the report were directly querying a data source. This is also helpful if multiple users could benefit from the same change to the Intelligent Cube definition. |
The Intelligent Cube must be published again to reflect the new definition. Publishing the Intelligent Cube can require substantial system resources. Including additional attributes requires more memory for the Intelligent Cube to be stored on Intelligence Server. |
Security filter resolution when attributes in a user's security filter are not in the Intelligent Cube used for the report
When attributes in a user's security filter are not in the Intelligent Cube used for the report, the outcome depends on how the attributes are related to those in the Intelligent cube, as described below:
-
Attributes in the security filter are related to attributes in the Intelligent Cube: No data is returned, to maintain data access security.
For example, an Intelligent Cube includes the attributes Year and Region, and the metric Revenue. A user creates a report that connects to this Intelligent Cube, and includes Year and Revenue on the report. The user's security filter is defined on the attribute Quarter to return data only for the first quarter of 2008.
By including the Year attribute on the report, this report would return information for all quarters in each year. However, the user is allowed to only see data for the first quarter of 2008. To maintain this data access security, no data is returned for the report.
- Attributes in the security filter are not related to attributes in the Intelligent Cube: The data returned depends on whether metrics in the Intelligent Cube report fact data based on attributes related to those in the user's security filter:
A metric in the Intelligent Cube reports fact data based on an attribute related to one in the security filter: The user's security filter prevents any data from being returned.
For example, an Intelligent Cube includes the attributes Year and Region, and the metric Revenue, which is based on the fact Revenue. This fact, in turn, is reported based on the attributes Item, Day, and Call Center. A user creates a report that connects to this Intelligent Cube, and includes Year and Revenue on the report. However, this user's security filter is defined on the attribute Category to return data only from Books.
Since Revenue is based on Item, Day and Call Center only, it cannot be reported based on the Category attribute. In such a case, no data will be reported for the Revenue metric.
- A metric in the Intelligent Cube reports fact data based on an attribute unrelated to those in the security filter: The security filter does not apply any restriction, and displays the data for metrics based on the fact.
- The table below describes the security filter resolution for scenarios listed above:
|
|
A fact in the Intelligent Cube is reported based on an attribute in the security filter | A fact in the Intelligent Cube is not reported based on any of the attributes in the security filter |
|
Attributes in the security filter are related to attributes in the Intelligent Cube |
No data is returned, to maintain data access security. |
No data is returned, to maintain data access security. |
|
Attributes in the security filter are not related to attributes in the Intelligent Cube |
Data can be returned using the standard security filter resolution. However, to maintain data access security, no data is displayed for any metrics where fact data is reported based on attributes related to those in the security filter. |
Data can be returned using the standard security filter resolution. In this scenario the security filter does not need to restrict any data, and the metric data can also be displayed. |
Data access security with connection mapping
In MicroStrategy, you can also use connection mapping to control the data that users have access to when they run reports. You can also apply this security when users create reports that connect to an Intelligent Cube. For information on maintaining data access security with connection mapping to Intelligent Cubes, see the System Administration Help.
Setting permissions for individual Intelligent Cubes
You can use an Intelligent Cube's Access Control List (ACL) to set specific access permissions for users. For example, you can restrict some users to only create reports based on an Intelligent Cube, but not re-execute the Intelligent Cube.
You can use the ACL Editor in -MicroStrategy Web to assign the following permission groups to users, for each Intelligent Cube:
|
Group |
Description |
Permissions granted |
|
Consume |
Grants permission to create and execute reports based on this Intelligent Cube. |
Browse Read Use |
|
Add |
Grants permission to create and execute reports based on this Intelligent Cube, and republish/re-execute the Intelligent Cube to update the data. |
Browse Read Use Execute |
|
Collaborate |
Grants permission to create and execute reports based on this Intelligent Cube, republish/re-execute the Intelligent Cube to update the data, and modify the Intelligent Cube. |
Browse Read Write Delete Use Execute |
For information on ACLs and access permissions, see the System Administration Help.