Setting Identity-Driven Security

It is sometimes necessary to substitute identity values in a permission condition to further refine member-level security. Identity-specific values are dynamically derived according to the user ID with which a client is authenticated. Those values are then used to filter the target data. The identity-specific values are derived from identity-driven properties that are stored in the metadata repository for each user and group. You can set an identity driven authorization using the Member Authorization expression builder.

Select Authorization ManagerBy TypeDimension and drill down to a dimension.
Right-click the dimension and select Properties.
In the dimension's Properties dialog box, select the Authorization tab, as shown in the following display. Select (or add) the user or group whose Read access you want to limit. In this example, the PUBLIC group is restricted.
In the Effective Permissions list, add an explicit grant of the Read permission for that user or group. If the selected user or group does not already have a permission condition defined, the Add Authorization button is now enabled.
Click Add Authorization to open the Add Authorization dialog box.

In the Add Authorization dialog box, select the option Create an advanced MDX expression using the expression builder option. You can then click Build Formula. This opens the Build Formula dialog box.

Add Authorization Dialog Box – Advanced MDX Expression

In the Build Formula dialog box, you can create an MDX filter and observe the MDX expression as you build it. Use the logical operators to specify multiple clauses in your MDX expression in the Expression Text list. Use the Functions tab to add MDX functions to your expression. Use the Insert button to add your selections to the Expression Text list.

Use the Data Sources tab to browse through the dimensions and hierarchies in your cube and select the members that require access control. Use the Add to Expression button to add your selections to the Expression Text text field. You can also check the accuracy of the expression that you are building by selecting the Validate Expression button.

To add identity values to the expression, click the Identity Values folder on the Data Sources tab. Select an identity value from the list. Use the Add to Expression button to add your selections to the Expression Text text field.

Here is a list of possible identity values:

SAS.ExternalIdentity

This property translates to optional, site-specific values such as Employee ID. Those values are not automatically stored in the metadata repository and need to be loaded and maintained.

SAS.IdentityGroupName

This property resolves to the name of the requesting group identity (for example, Portal Admins Group).

SAS.PersonName

This property resolves to the name of the requesting user identity (for example, SAS Demo User).

SAS.IdentityName

This property returns the name of either the requesting group identity or the requesting user identity, depending on whether the user ID is a group login or a personal login.

SAS.Userid

This property translates to the authenticated user ID, normalized to one of the uppercase formats USERID or USERID@DOMAIN (for example, SASDEMO@LXXXXX).

SAS.IdentityGroups

This property resolves to the names of the groups of which a user is a member.

When you are finished, click OK. You will return to the Add Authorization dialog box. Select OK again to save the permission condition and return to the Properties dialog box.

See the topics Securing Cubes and Identity-Driven Properties for more information.