Search code examples
authorizationiccube

icCube authorization on a parent child dimension - how to restrict access to upper levels?

This question uses the parent-child schema enclosed here.

I want to restrict access for a user on the 'dim (all)' hierarchy to view all the data at a certain level and below, but not the data above this member. For example, view 'Europe' and below this level, but I not the parent 'World'.

I managed to make a role that gives access to Europe and below, using the formula:

{[dim (ALL)].[Hierarchy].[ Level - 1].&[3].descendants}

and default member:

[dim (ALL)].[Hierarchy].[ Level - 1].&[3]

and apply to celss = Yes

But using this role, I still can see the World:

select [Measures].[value] on 0
, [dim (ALL)].[Hierarchy].allmembers on 1
from [cube]

result: enter image description here

What do I need to do to 'redefine' the 'root' to 'Europe', if it is possible at all?

Solution

  • Sorry, it's currently not possible with security to convert a sub-tree into a tree. When allowing a member you do it for all ancestors.

    In your example, if you allow [Europe] you allow [World]