I've encountered the following problem - I already have a working cube that processes lots of data on a schedule. The requirement I got now was to restrict the data in the cube according to specific logins. I'm aware of dynamic SSAS cube security through roles or even logins but I don't see them helping me as I have a kind of a hybrid scenario, and it is as follows:
For example, imagine you have a cube processing sales and income of an international trading company, and you belonged to a role of country directors; what I want to do is adjust permissions so that every country director sees all the measures and dimensions, but they see sales/income only from their country.
Is this possible?
All help is appreciated.
EDIT: I might not have made the best example above. My scenario is slightly different, in a way that there isn't a business rule that would place any two users in a same group. Basically, every user has to see only data that somehow refers to him/her. And this really can't be done manually as there's over 4000 users...
Best regards,
MK_
Yes, both Tabular and Multidimensional SSAS have row filtering options. In your scenario you need:
A Country dimension
Create a role for each Country that has directors
Assign each director to their specific role
Row filter each role by their correspondant Country dimension
Related
We’ve build a Finance OLAP Cube in SSAS which is mostly used/browsed by Accountants. Due to a “self-service” policy that is followed, users are in the meantime required to make use of Excel (with a data connection to the cube) as their reporting and/or analysis tool.
One of the dimensions, the Accounts dimension, contains the full list of accounts including a Chart of Accounts hierarchy. After the initial launch of the cube, users started to request alternative/custom Account hierarchies to cater for their reporting.
Most of these requested hierarchies (apart from the Chart of Accounts hierarchy) contain only a portion of the full list accounts e.g. Management Expense Hierarchy.
The initial approach was to create e.g. a Management Expense Hierarchy within the Accounts dimension with a “not applicable” attribute name for the non-management expense accounts. Users then needed to deselect the “not applicable” name from the “Management Expense Hierarchy” Pivot Field List in Excel whenever they dragged this hierarchy into the “rows” field. Not all users were satisfied with this option and requested that they only wanted to see the relevant accounts without deselecting items which lead us to utilize the attribute hierarchy select/deselect members of the Dimension Data section from Roles – which was not a successful.
The next approach was to utilize the Dimension Hierarchy Level Property – HideMemberIf “No Name” in order to show only the relevant Expense Management hierarchy levels/members and hide the non-management expense accounts.
This was achieved by creating a dimension called “Management Expenses” and adding an additional foreign key column in the fact table with a relationship to the Management Expense dimension. The non-management expense accounts were populated with a -1 key and a NULL attribute name.
The desired results were achieved in Excel with the HideMemberIf “No Name” BUT the “Grand Total in Excel” still shows the sum of ALL accounts
Excel Hierarchy Example
Any suggestions in order to resolve the “Grand Total” issue – i.e. to exclude the -1 entries also … will be much appreciated.
Can you create a scope statement in cube to nullify any values for your -1 entries?
I am having a little trouble figuring out how to properly filter from the one side through a many relationship and back through to another one sided table.
The issue is that a Customer can have multiple accounts which can have multiple Customers.
In the attached image I am trying to filter from a Center# through the All Customer level and then add a filter on the List table to get the correct open accounts.
So the example would be I am looking for all Customers that are associated with Center A and are attached to an account type A.
The inactive one to many relationship from All Cust -> All Accts is what needs to be active instead of the All Cust -> Open table.
I am currently using:
CALCULATE([Cust Enrolls],CROSSFILTER('All Cust'[All Customer Number],'Open'[Primary Customer Number],Both))
to be able to filter for the account type, but that table's customer is just the single primary customer.
Any ideas on how I should either rework the model or how to create the correct measure?
Model
I would recommend re-working your Data Model so that you have a clear 1-M for each dimension table to your fact tables. This will save you a tremendous amount of time and headaches now and in the future by structuring your data properly.
I have to embed a PowerBI scorecard visual on a website. I've set up the scorecard in PowerBI Desktop, and it looks fine; the slicer for the scorecard filters the employee name.
I'd like for the employee that visits the company website to see only their data in the scorecard- in other words, their presence on the website would automatically filter the scorecard to reveal their statistics only. Fortunately, they have to login to the company's website by providing their Windows credentials.
I'm not sure how to go about doing this. I understand that I have to use the "Security" portion of the "Modeling" tab, and I've (successfully) created an explicit role for one viewer by using the following code:
'Table1'[Employee Name] = "John Smith"
Of course, this only reflects John Smith's statistics when I click "View as Roles." I don't think it's practical to explicitly write a DAX code snippet for every single employee, since my company has 3000+ employees.
Can anyone share any instructions, or lead me to some?
Thank you in advance.
I had to deal with a similar issue, though we view our dashboards within the Power BI service, so that is the authentication I am familiar with. The basis for this form of dynamic row level security is that the expression written is evaluated for each row in the indicated table to either True or False.
If your user has signed in to the you will be able to determine the identity using USERPRINCIPALNAME(). This is the email address they use to sign into the service.
Since you are displaying data specific to that user, it is possible you already have their email in your data. If that is the case, and it is simply another field in your table your validation line would look something like:
'Table1'[Email] = USERPRINCIPALNAME()
The left side of the expression refers to the row you are referencing, while the right will supply the name of the authenticated user. If you don't have that available in your existing data, you could use a DAX expression to lookup the Employee name from a list of emails and their associated names.
In this case, you only have one role which everyone needs to be assigned to, and the logic above will determine which rows they can see.
This is a simple example in which each employee can only see their own data. The model can be extended by creating 'security tables' with users and their associated records, and then utilizing the CONTAINS() function to check authorization, but it sounds like you have a 1-to-1 relationship with what individuals should be able to see.
I am updating a custom table based on plant in MM02 using the user exit EXIT_SAPLMGMU_001. The problem is when i am not passing through Plant data\ stor.1 tab plant data is not passing to the exit i am using.
I need to update the custom table even when basic data is changed without changing plant. please suggest me how to achieve this.
You should better imagine SAP organizational structure to answer your own questuion. Company codes are subdivided into plants, plants can be assigned to one or more purchasing or sales organization. So plant division makes sense only while editing material's sales or purchasing master data. As Dirk fairly said, your plant details just shouldn't be normally passed to your user-exit in case you don't open sales or purchasing views in MM02. And if you do, MARC-WERKS is perfectly populated
I have two tables: businesses and leads. businesses is the parent table; A record in businesses may have many leads.
My leads table holds data like "calls, appointment, etc etc" - all searchable.
I'm trying to create a layout to sort all of my businesses by my lead information, either with a portal filter or list view.
The goal is to help me figure out who I need to call or see today.
Go into Manage Database and make sure you have an actual relationship setup between businesses and leads.
Then make a layout based on the businesses table and add a portal to that layout based on the leads, which will show up in the drop-down because of the relationship. You'll also see options in the portal properties to sort by whatever column(s) you want.