Creating Authorization Objects

Authorization object is the repository object used for access control of users and groups of users by creating data segments.

Data segment is a set of cube data slice and security subjects permissions to this data.

Cube data slice is a two-dimensional data table obtained by mandatory fixing at least one cube dimension. Dimension fixation is a selection of the dimension elements.

NOTE. The authorization object with dynamic access permissions must be specified on creating process steps.

On creating authorization object of any type, the cube permissions are limited for users or groups of users. To grant permissions for users or groups of users, set authorization object on their creation and determine data segment for them.

To create new and edit ready authorization objects, the Authorization Object Wizard is used.

To open the wizard in the object navigator execute one of the operations:

On creating a new authorization object:

Click the New Object > User Objects > Authorization Object button in the Create group of the Home ribbon tab of the object navigator.
Select the Create > User Objects > Authorization Object item in the object navigator's context menu.

On editing ready authorization object. Select the authorization object in object navigator and execute one of the operations:

Click the Edit button in the Open group on the Home ribbon tab.
Select the Edit item in the authorization object's context menu.
Press F4.

Basic properties

The first authorization object wizard page is Basic Properties. The page view depends on authorization object type:

Data segments

The next wizard page, Data Segments, is used to determine the list of data segments. Data segments are set by determining selections by dimensions of the selected source.It enables dividing data source into segments available for singnle groups of users work.

To add a data source:

Click the Add Source button. The object selection dialog box opens:

Select one or several cubes that are data sources.
Click the OK button.

To delete data source:

Select the source to be deleted in the list.
Click the Delete button. The data source will be deleted after operation confirmation.

To set selections by source dimensions:

Double click the dimension or select it and click the Edit Value button. A dialog box opens to determine dimension values:
Select one of the radio buttons:

Undefined (is not used in approval). On selecting the radio button, the segment will include all elements of the dimension. To create a data segment, set selection at least for one cube dimension.
Determine. If the radio button is selected, select dictionary elements that will set data segment:

Make sure that at least for one cube dimension selection is set.

Click the Save button.

Thus, static data segments are created outside the processes using authorization objects, to which the permissions are granted for selected users or groups of users. Access permissions to static data segments are determined by discretionary access control method. The attribute access control method slices.

To work, dynamic data segments, that are created on starting process step and are active till it is finished, are defined in processes using authorization objects.