Roles Best Practices

The recommended best practices for Roles and Data access are:

  • Delete the default Full Access
  • Create specific roles, e.g. Sales Denmark, Sales Germany and add relevant users and groups of users to these groups.
  • In each role set the Databases permission to Allow and set the Default Child Permission to None. This will ensure that users may access Connections, but by default will not gain access to any new
  • In each role set each Connection permission to Allow or None and set the Default Child Permission to None. This will ensure that users may/may not access Cubes, but by default will not gain access to any new
  • In each role set the Cubes permission to Allow or None and set the Default Child Permission to Inherit. This will ensure that users may/may not access Dimensions and Measures in that cube and by default will inherit the cube’s permission when trying to access any new Dimensions and Measures.
  • Avoid as far as possible use of the Deny in all roles setting!
Was this article helpful?
0 out of 0 found this helpful

Comments

2 comments
  • Hi,

    Very useful article! Can you also make a best practices for the Documents section?

    Should I also set the Default Child Permission to "None"?  And what does the checkbox Inherit mean?

    Thanks!

    0
  • In the Documents tab, setting the Default Child Permission on any given node to "None" will mean that any new subfolders added to that node will be set to "None in this role" for both Read access and Write access.

    Keeping a checkmark in the "Inherit" check box means that the folder's access settings will be controlled by the parent folder's access settings. In your example, if you change the Write setting to "Allow in this role" on the Shared Documents folder, it will simultaneously change accordingly on all subfolders with an "Inherit" checkmark.

    0

Please sign in to leave a comment.