Multidimensional Model Roles and Permissions
Analysis Services provides a role-based authorization model that grants access to operations, objects, and data. All users who access an Analysis Services instance or database must do so within the context of a role.
As an Analysis Services system administrator, you are in charge of granting membership to the server administrator role that conveys unrestricted access to operations on the server. This role has fixed permissions and cannot be customized. By default, members of the local Administrators group are automatically Analysis Services system administrators.
As the model designer or database administrator, you must create the roles that describe different levels of access within a given database, and then assign membership to every user who requires access. You can assign permissions at these levels: database, interior objects such as cubes and dimensions (but not perspectives), and rows. It is common practice to create roles and assign membership as separate operations. Often, the model designer adds roles during the design phase. This way, all role definitions are reflected in the project files that define the model. Role membership is typically rolled out later as the database moves into production, usually by database administrators who create scripts that can be developed, tested, and run as an independent operation.
All authorization is predicated on a valid Windows user identity. Analysis Services uses Windows authentication exclusively to authenticate user identities.