OLAP security

Dynamics AX 4.0

Business decision makers typically view online analytical processing (OLAP) data in a PivotTable report. A PivotTable, as the name implies, can be rearranged or "pivoted" quickly for a different data summary. By default, user groups do not have access to PivotTable reports. They must be granted access. This topic describes how to control access to OLAP reports.

  • Applications such as Microsoft Excel can link directly to OLAP cubes in Analysis Services. Even if you have restricted access to cube data in Microsoft Dynamics AX, end users might still be able to access cube data in Microsoft SQL Server Analysis Services if you have not properly configured security roles in Analysis Services. For more information about securing access to OLAP cubes in Analysis Services, see Creating Security Roles in the Microsoft SQL Server Analysis Services books online.

  • Cubes from different companies in Microsoft Dynamics AX can overwrite each other unless those cubes are stored in separate Analysis Services databases. For this reason, create a unique Analysis Services database for each company that will generate OLAP reports. To learn how to create separate databases in Analysis Services, see Creating Databases in the SQL Server Analysis Services books online.

  • Only members of the Administrators group in Microsoft Dynamics AX should be granted access to the form ( > > > ) and the forms ( > > ). If a non-administrator is granted access to these forms, the user could view OLAP data not intended for that individual.

  • If you restricted access to certain fields or tables in Microsoft Dynamics AX using Manage record-level security, be aware that those restrictions are not propagated to OLAP cubes. To enforce data-level restrictions in OLAP cubes, use Analysis Services mining models and custom roles. For more information, see Creating Security Roles in the Microsoft SQL Server Analysis Services books online.

To learn more about OLAP cubes and PivotTable reports, see Introduction to OLAP Reporting.

SQL Server Analysis Services enforces OLAP security through roles. A user can access OLAP data if the user's name has been added to a role with access to OLAP data. If the user's name has not been added to a role, the user will not have access to OLAP data, regardless of any configurations in Microsoft Dynamics AX. For this reason, see the SQL Analysis Servers books online regarding how to add a user to an Analysis Services role.

Once the user has been added to an Analysis Services role, you must configure Microsoft Dynamics AX access to OLAP data. Users can view OLAP data from a variety of forms and menus in Microsoft Dynamics AX if their user group has permission to a form/menu and if an OLAP cube has been processed for the form/menu. For example, if members of a Finance group have View, Edit, Create, or Full Control permission for the > > menu, and if the administrator has processed a cube for this menu item, then members of that group can click to view OLAP data for accounts in the General Ledger.

Users can access the button or option from the following forms or menus:

  • > >

  • > >

  • > > > > >

  • > > >

  • > >

  • > >

  • > >

  • > > >

  • > >

  • >

  • > >

  • > > >

  • > >

  • > > > >

  • > > >

To control access to OLAP data, determine which groups need access to which forms/menus. Next, determine the most restrictive permissions possible for the user group. You can set permissions on the form ( > > > ). If you are unsure whether a group should have access to a form, deny access until you receive explicit instructions stating otherwise from a manager or supervisor. When you receive a request for access to one of the preceding forms/menus, use the following procedure to grant access to the form/menu and thereby grant access to OLAP data.

ImportantImportant

Restrict user group and application access to OLAP data and the Analysis Services server. If you do not restrict access, a malicious user could perform repeated OLAP operations that could quickly consume all memory and CPU resources on the server and the database and thereby render these computers temporarily inaccessible.


  1. From a Microsoft Dynamics AX client, select a user group on the form ( > > > ). For the procedure to create a new user group, see Manage user groups.

  2. Select a domain. For the procedure to create a new domain, see Manage domains.

  3. Click the tab.

  4. In the list box, select the form or menu to which you want to grant access, for example, > > , and then select the appropriate permission under .

  5. If you select a child node, for example , click to set the permission on all corresponding child tables and fields.

  6. Press CTRL + S to save changes.

The form ( > > ) provides a list of processed OLAP cubes. If a user group can view an OLAP cube in the form, then members of that group can view OLAP data by selecting a cube and clicking . As a security best practice, restrict OLAP cube availability in the form according to user groups.

  1. From a Microsoft Dynamics AX client, click > > > > .

  2. On the tab, select a cube definition.

  3. Click the tab.

  4. Make a note of the key name in the drop-down list. For example, CustInquiries.

  5. Close the form.

  6. Open the form ( > >> ).

  7. Select a user group and a domain and click the tab.

  8. Locate the node that corresponds to the security key. For example, select the node and then select . Notice that the security key CustInquiries appears in the left pane.

  9. Under , select a permissions level. To view OLAP data using the , a user group requires View permissions at the very least. If a user group currently has View permissions for a selected key and you want to restrict access, select No access.

  10. Press CTRL + S to save changes.

  11. Repeat this procedure for each OLAP cube listed in the .

Show: