SSAS Changing Dimension Security Requires Processing Cubes?

Question

Is it necessary to process a cube before changes to the allowed attributes for a database dimension show up? I have a database on SSAS 2008 with a geography dimension that contains an attribute named "State". The State attribute contains a value for every state in the United States (e.g. Alaska, Alabama,...,Washington). I have a MOLAP cube that uses this dimension. I have an AD group for every state and a role in SSAS for every state that contains the associated AD group.

I want to restrict access to specific states using role security on the database dimension not on the cube dimension. I want to do this because I will be adding an additional cube in the future that will share the same State dimension. None of my changes to permissions at the database dimension level seem to get reflected in the cube. However when I set the permission on the cube dimension everything works as expected.

For example, I have set my Alaska role to only have access to the "Alaska" State attribute value for the Geography dimension in the SSAS database. When I authenticate as an Alaska user (I log out of my workstation and login as the Alaska user) I see all 50 states. However when I restrict permissions on the cube dimension and authenticate as an Alaska user the only state I see is Alaska.

Do I need to process my cube before changes to permissions at the database level are reflected in the cube?

Answer 1

• Is it necessary to process a cube before changes to the allowed attributes for a database dimension show up?

Yes, since you have a MOLAP storage, all the info is copied from the database to the cube.

---

• I want to restrict access to specific states using role security on the database dimension not on the cube dimension

That is not possible, but since you are using SSAS 2008 you can share a dimension among several cubes, so you will only have to do it once anyway