Module 15: Implementing Security Contents Overview Introducing Analysis Services Security Understanding Administrator Security Securing User Authentication Understanding Database Roles Implementing Dimension Security 13 Managing Cube Roles 17 Lab A: Implementing Cube Security 27 Review 32 Information in this document is subject to change without notice The names of companies, products, people, characters, and/or data mentioned herein are fictitious and are in no way intended to represent any real individual, company, product, or event, unless otherwise noted Complying with all applicable copyright laws is the responsibility of the user No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Microsoft Corporation If, however, your only means of access is electronic, permission to print one copy is hereby granted Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property  2000 Microsoft Corporation All rights reserved Microsoft, BackOffice, MS-DOS, Windows, Windows NT, are either registered trademarks or trademarks of Microsoft Corporation in the U.S.A and/or other countries The names of companies, products, people, characters, and/or data mentioned herein are fictitious and are in no way intended to represent any real individual, company, product, or event, unless otherwise noted Other product and company names mentioned herein may be the trademarks of their respective owners BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY Module 15: Implementing Security iii Instructor Notes Presentation: 60 Minutes Lab: 30 Minutes In this module, students will gather the skills necessary to implement security in Microsoft® SQL Server™ 2000 Analysis Services Students will learn the concepts and mechanics of administrative permissions, database roles, and cube roles In the lab, students create and test a role that uses dimension and cell security After completing this module, students will be able to: ! Understand the use of security in Analysis Services ! Explain administrator security ! Describe authentication methods ! Assign database roles ! Apply dimension security ! Manage cube roles Materials and Preparation This section lists the required materials and preparation tasks that you need to teach this module Required Materials To teach this module, you need the following materials: ! Microsoft PowerPoint® file 2074A_15.ppt Preparation Tasks To prepare for this module, you should: ! Read all the student materials ! Read the instructor notes and margin notes ! Complete all the demonstrations ! Practice the lecture presentation and demonstration ! Complete the lab ! Review the Trainer preparation presentation for this module on the Trainer Materials compact disc ! Review any relevant white papers that are located on the Trainer Materials compact disc BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY iv Module 15: Implementing Security Module Strategy Use the following strategy to present this module: ! Introducing Analysis Services Security Explain that Analysis Services allows security to be defined at different levels in online analytical processing (OLAP) databases and cubes—from the server level down to the cell level ! Understanding Administrator Security Explain that to administer Analysis Services, you must be a member of the Microsoft Windows® 2000 or Microsoft Windows NT® OLAP Administrators group ! Securing User Authentication Introduce ways to connect to Analysis Server Explain that user security is controlled by authentication ! Understanding Database Roles Introduce roles by defining what they are and by giving some key parameters Introduce the Database Role Manager dialog box and describe its use Show how to define, delete, edit, and copy a new role Define database role properties and introduce the Create a Database Role dialog box and how it allows you to define properties of a role Display the dialog box as you discuss the user interface elements ! Implementing Dimension Security Introduce dimension security Explain that, with dimension security, you can prevent users from viewing specified dimension members, and data associated with those members Show how dimension security is defined by using the Custom Dimension Security dialog box Display the dialog box as you discuss the user interface elements ! Managing Cube Roles Introduce the Cube Role Manager, explain dimension and cell security, describe advanced cell security permissions, and introduce administration and custom options BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY Module 15: Implementing Security Overview Topic Objective To provide an overview of the module topics and objectives ! Introducing Analysis Services Security Lead-in ! Understanding Administrator Security ! Securing User Authentication ! Understanding Database Roles ! Implementing Dimension Security ! Managing Cube Roles In this module, you will learn about Analysis Services security This module teaches you how to implement security in Microsoft® SQL Server™ 2000 Analysis Services You will learn the concepts and mechanics of administrative permissions, database roles, and cube roles In the lab, you will create and test a role that uses dimension and cell security After completing this module, you will be able to: ! Understand the use of security in Analysis Services ! Explain administrator security ! Describe authentication methods ! Assign database roles ! Apply dimension security ! Manage cube roles BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY Module 15: Implementing Security Introducing Analysis Services Security Topic Objective To introduce the concept of security ! Cell Security ! Database security can be applied in Analysis Services only when the Analysis Server is installed on an NTFS file system Therefore, it is recommended that Analysis Services always be installed on an NTFS partition Dimension Security ! Key Point Cube Security ! By implementing security in Analysis Services, you limit access to data Administrator Security ! Lead-in Special Options By implementing security in Analysis Services, you limit access to data Analysis Services allows security to be defined at different levels and for different reasons in databases and cubes For example, the following are types of Analysis Services security: ! Administrator security defines who can administer an Analysis Server ! Cube security allows you to specify which users can read and write to an online analytical processing (OLAP) cube ! Dimension security allows you to restrict users from viewing specified dimension members ! Cell security, the most granular level of security, allows you to define the cells that users can read and write to ! Special options define security for drillthrough, cube linking, and SQL queries Important Database security can be applied in Analysis Services only when the Analysis Server is installed on an NTFS file system Therefore, it is recommended that Analysis Services always be installed on an NTFS partition BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY Module 15: Implementing Security Understanding Administrator Security Topic Objective To explain administrator security ! The User Who Installs Analysis Services Is Automatically Placed in the OLAP Administrators Group ! Additional Administrators Must Be Added to the OLAP Administrators Group ! All Administrators Have Identical Privileges ! Administrator security defines who can administer an Analysis Server Administrator Security Is Based on Windows 2000 or Windows NT 4.0 Security ! Lead-in An Administrator Retains Full Access Privileges when Connected through a Client Administrator security defines who can administer an Analysis Server It is important to understand how to grant administrators the required rights needed to gain access to the Analysis Server The following are characteristics of administrator security: ! To administer Analysis Services, you must be a member of the Microsoft Windows® 2000 or Microsoft Windows NT® 4.0 OLAP Administrators group When Analysis Services is installed, a user group named OLAP Administrators is automatically created on the Analysis Server ! The user who performs the installation is automatically placed in the OLAP Administrators group ! Any additional administrators must be added to the OLAP Administrators group You add administrators to the OLAP Administrators group outside Analysis Manager by using Windows 2000 or Windows NT 4.0 user administration ! Only one level of administrator privilege exists in Analysis Services An administrator can perform all operations in a database—they can even delete the database ! When connected to a cube through a client, administrators retain full read and write access to all cubes, dimensions, and cells, regardless of any defined cube, dimension, or cell security Note Administrators maintain write access to only those cubes that are write-enabled BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY Module 15: Implementing Security It is recommended that you establish specific Windows 2000 or Windows NT accounts to administer Analysis Services Administrators should refrain from accessing Web pages, productivity applications, and e-mail applications that support scripts or macros when using the administrative accounts because of the extensive data access rights of administrative account holders BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY Module 15: Implementing Security Securing User Authentication Topic Objective To introduce ways to connect to Analysis Server ! Lead-in User security is controlled by authentication Direct Connection # # ! A user connects to Analysis Server directly Authentication is based on credentials granted in the user domain account HTTP Connection through IIS # # A user connects to Analysis Server through IIS by using HTTP Analysis Server relies on IIS authentication User security is controlled by authentication There are two ways to connect to an Analysis Server, each with its own authentication method ! Direct Connection When a user attempts to connect to an Analysis Server directly, the server attempts to authenticate based on credentials granted in the domain account of the user If the connection string specifies a user name and password different from the login account of the user, the specified name and password are ignored If the credentials of the user not permit access to the Analysis Server from the network, authentication is unsuccessful and the connection fails Analysis Services uses Security Support Provider Interface (SSPI), and supports various providers that use SSPI ! Internet Information Services (IIS) Users can connect to an Analysis Server through IIS by using Hypertext Transfer Protocol (HTTP) A connection string specifies the data source property When a user attempts to connect through IIS, Analysis Server relies on IIS authentication If authentication on IIS is unsuccessful, the connection to the Analysis Server is denied Note IIS provides several authentication methods For additional information, refer to the Internet Information Services online documentation BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY Module 15: Implementing Security $ Understanding Database Roles Topic Objective To describe the concept of roles in Analysis Services ! Using the Database Role Manager ! To give users access to Analysis Services databases and cubes, you must first create roles to assign the access Defining Roles ! Lead-in Defining Database Role Properties To give users access to Analysis Services databases and cubes, you must first create roles to assign the access To effectively manage roles, you need to understand the use of roles in Analysis Services, and how to create roles by using Analysis Manager In the next section, you will learn about the following security topics relating to roles: ! Defining roles ! Using the Database Role Manager ! Defining database role properties BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY 20 Module 15: Implementing Security Advanced Cell Security Permissions Topic Objective To introduce advanced cell security permissions ! Lead-in Read Permission # The three types of advanced permissions are Read Permission, Read Contingent Permission, and Read/Write Permission ! Read Contingent Permission # ! Determines the cells that users can view Determines if cells derived from restricted cells are viewable by users •Cells are viewable if derived from viewable cells •Cells are not viewable if derived from restricted cells Read/Write Permission # Determines the cells that users can update If you select the Advanced policy for cell security, you can define three types of permissions for cells, each of which has three types of rules that can be applied The three types of advanced permissions are Read Permission, Read Contingent Permission, and Read/Write Permission In each of these permissions, the three types of rules that can be applied are Unrestricted, Fully Restricted, and Custom Read Permission Read permission determines the cells that are viewable to users of the role The cells specified with this permission are viewable regardless of whether they are derived from other cells that are not viewable The read permission choices are: ! Unrestricted Users belonging to the role can view all cells This is the default read permission choice ! Fully Restricted The users belonging to this role can view only those cells specified by read contingent or read/write permissions described below ! Custom The users belonging to this role can view only those cells specified by an MDX statement Note If the Advanced Cell Security Rule for the Read Contingent or Read/Write Permission is Unrestricted and you create a Custom Rule for the Read Permission, the setting for Read Contingent and Read/Write is changed automatically to Fully Restricted on saving the role BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY Module 15: Implementing Security 21 Read Contingent Permission Read contingent permission determines whether cells that are derived from restricted cells are viewable to the user Cells specified with this permission and derived from other cells are viewable only if all the source cells are also viewable For example, suppose a cube contains the measures Sales and Cost and the calculated member Profit, which equals Sales minus Cost If a custom MDX expression grants access to all measures except Cost, Cost and Profit would both be unavailable The read contingent permission choices are: ! Unrestricted Users belonging to the role can view all cells This is the default choice ! Fully Restricted Users belonging to the role can view only those cells specified by Read or Read/Write permissions ! Custom Viewable cells are specified by an MDX expression By using the above example, if Cost were restricted, Profit would also be restricted because it uses the restricted Cost measure in its calculation Read/Write Permission Read/write permission determines the cells that users can update by using the writeback capability of Analysis Services The cube must be write-enabled for this setting to take effect Read/write permission overrides read permission—that is, if a user is granted read/write permission, that user is able to view the cell even if read permission is denied The read/write permission choices are: ! Unrestricted Users belonging to the role can update all cells ! Fully Restricted Users belonging to the role cannot update any cells but can read cells as specified by Read or Read Contingent permissions ! Custom An MDX expression defines the cells that can be both read and updated Note For more information on writeback, see Module 14, “Using Actions, Drillthrough, and Writeback,” in course 2074A, Designing and Implementing OLAP Solutions with Microsoft SQL Server 2000 BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY 22 Module 15: Implementing Security Administration of Custom Options Topic Objective ! To introduce the administration of custom settings and special cube security options Custom Settings Administration # Lead-in # The following items concern the administration of custom settings and special cube security options ! MDX statements define viewable or restricted cells in custom rules Commonly used security MDX functions include: •CurrentMember •Ancestor •Name Special Cube Security Options # Allow Drillthrough # Allow linking to this cube # Allow sending SQL queries The following items concern the administration of custom settings and special cube security options Custom Settings Administration To administer a custom rule for cell security, create an MDX expression to define the cells that are available for viewing or updating MDX functions that you commonly use to define cell security custom rules include the following: ! CurrentMember—used to specify the currently accessed member ! Ancestor—used to specify the ancestor of the currently accessed member ! Name—used to specify the name of a particular member The MDX expression returns either a Boolean or a numeric result If the expression returns True or a non-zero number, access is granted to that cell If the expression returns False or zero, access is denied Therefore, you specify either the cells that a user is able to access or the cells a user cannot access For example, if you want to grant access to all cells in the USA and no other geography, you can use the following expression: Ancestor([Geography].CurrentMember,[Geography].[Country]).Name = “USA” Alternatively, you can specify the members that are not available for access For example, if you want to grant access to all measures except Unit Sales, you can use the following expression: [Measures].CurrentMember.Name “Unit Sales” BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY Module 15: Implementing Security 23 Note If a dimension is not included in the MDX expression, it is assumed that users are granted access to all cells in that dimension Special Cube Security Options The Options tab in the Create a Cube Role dialog box contains three check boxes for security properties: ! Allow Drillthrough When selected, users belonging to the role are allowed to perform drillthrough Drillthrough must be defined in the cube for this property to apply to the cube Note Linked cubes not support drillthrough ! Allow linking to this cube When selected, users belonging to the role are permitted to link to the cube ! Allow sending SQL queries When selected, users belonging to the role are permitted to query the cube by using SQL Note Because Analysis Server is an OLE DB provider, in addition to an OLE DB for OLAP Provider, it can be queried with SQL BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY 24 Module 15: Implementing Security Demonstration: Building Dimension and Cell Security Topic Objective To demonstrate dimension and cell security Lead-in In this demonstration, you will learn how to define a new role for the HR cube in the FoodMart 2000 database Delivery Tip Encourage students to follow this demonstration on their own computers In this demonstration, you will learn how to define a new role for the HR cube in the FoodMart 2000 database The members of this role will be denied access to: ! The Senior Management member of the Position dimension by using dimension security ! The Employee Salary measure for the Middle Management member of the Position dimension by using cell security ! To set up and specify a role In Analysis Manager, expand the FoodMart 2000 database, expand the Cubes folder, right-click the HR cube, and then click Manage Roles In the Cube Role Manager dialog box, click New In the Create a Cube Role dialog box, type HR Role in the Role name box Verify that Client is selected in the Enforce on list Click the Membership tab, and then click Add In the Add Users and Groups dialog box, click any user group, click Add, and then click OK to close the Add Users and Groups dialog box BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY Module 15: Implementing Security 25 ! To define dimension security In the Create a Cube Role dialog box, click the Dimensions tab Click the Rule column for the Position dimension, and then in the list, click Custom In the Custom Settings column, click the ellipsis button (…) In the Custom Dimension Security dialog box, type No Senior Management in the Description box In the Members box, click the plus sign (+) next to the All Position member to expand the outline Clear the Senior Management member check box Click the Advanced tab and notice the various MDX statements The MDX statements correspond to the inputs on the Basic tab You can update the statements manually Click the Common tab Notice that the Virtual Totals properties are disabled The HR cube contains a distinct count measure Visual Totals cannot exist in cubes containing distinct count measures Click OK to close the Custom Dimension Security dialog box ! To define cell security In the Create a Cube Role dialog box, click the Cells tab In the Cell security policy list, click Advanced Click the Rule column for Read permission, and then in the list, click Custom Click the ellipsis button (…) in the Custom Settings column Type Hide salary for middle managers in the Description box In the MDX box, enter the following: Position.Currentmember.Name "Middle Management" OR (Position.Currentmember.Name = "Middle Management" AND Measures.Currentmember.Name "Employee Salary") The MDX expression gives users the ability to view all non-Middle Management Position dimension members for all measures, and the ability to view Middle Management members for all measures except for Employee Salary Click Check to validate the MDX syntax, and then click OK BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY 26 Module 15: Implementing Security ! To test the role Click OK to close the Cube Cell Security dialog box Click OK to close the Create a Cube Role dialog box In the Cube Role Manager dialog box, click Test Role In the Cube Browser dialog box, drag the Position dimension to the row area Verify that the Senior Management member does not appear in the Position dimension Verify that for the Middle Management member, Employee Salary displays #N/A Click Close twice BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY Module 15: Implementing Security 27 Lab A: Implementing Cube Security Topic Objective To introduce the lab Lead-in In this lab, you will create a role, implement security, and test a role Explain the lab objectives Objectives After completing this lab, you will be able to: ! Create a cube role ! Implement dimension security ! Implement cell security ! Test a cube role Scenario In exercise 1, you will implement dimension security The role you define will prevent users from viewing members of the Promotions dimension, except for the All Promotions member The same role will restrict the Store dimension so that users can view only USA and its descendants Finally, you will prevent users from viewing the Store Cost measure In exercise 2, you will modify the role you created in exercise Rather than completely denying users access to Canada and Mexico, you will prevent them from seeing the Store Cost measure for stores outside USA You will perform this by defining cell security for the cube Estimated time to complete this lab: 30 minutes BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY 28 Module 15: Implementing Security Exercise Building Dimension Security In this exercise, you will implement dimension security for the FoodMart 2000 Sales cube ! To define a new role In Analysis Manager, expand the Cubes folder in the FoodMart 2000 database Right-click the Sales cube, and then click Manage Roles In the Cube Role Manager dialog box, click New In the Create a Cube Role dialog box, type USA in the Role name box In the Enforce on list, click Server ! To specify associated users Click the Membership tab, and then click Add In the Add Users and Groups dialog box, click any user group, and then click Add Click OK to close the Add Users and Groups dialog box ! To deny access to the Promotions dimension Click the Dimensions tab Click the Rule column for the Promotions dimension, and then in the list, click Fully Restricted ! To provide access to USA stores only On the Dimensions tab, in the Rule column for the Store dimension, click Custom Click the ellipsis button (…) in the Custom Settings column for the Store dimension Type USA Only in the Description box In the Top Level list, click Store Country Verify that the Select all members option is clicked in the Select members pane In the Members pane, Canada, Mexico, and USA are displayed Deselect the Canada and Mexico check boxes Click OK to close Custom Dimension Security dialog box BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY Module 15: Implementing Security 29 ! To deny access to the Store Cost measure On the Dimensions tab, click the Rule column for the Measures dimension, and then in the list, click Custom Unlike the other dimensions, Measures has no Fully Restricted option It is impossible to fully restrict all cube measures Click the ellipsis button (…) in the Custom Settings column for the Measures dimension Type No Cost in the Description box Verify that the Select all members option is clicked in the Select members pane In the Visible Measures pane, deselect the Store Cost check box Click OK to close the Custom Dimension Security dialog box Click OK to close the Create a Cube Role dialog box ! To test the security settings In the Cube Role Manager dialog box, click Test Role The Cube Browser dialog box displays Verify that for the Promotions dimension, only one member displays—All Promotions Verify that for the Store dimension, only USA and USA’s descendants are displayed Verify that for the Measures dimension, Store Cost does not display Close the Cube Browser dialog box, and then close the Cube Role Manager dialog box BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY 30 Module 15: Implementing Security Exercise Building Cell Security In the previous exercise, you prevented USA users from seeing Canada and Mexico data Suppose, however, that rather than completely denying these users access to Canada and Mexico, that you simply want to prevent them from viewing a specific measure, Store Cost, for Canada and Mexico You can define cell security rather than dimension security for the Store dimension ! To remove security from Store and Measures dimensions In Analysis Manager, right-click the FoodMart 2000 Sales cube, and then click Manage Roles In the Cube Role Manager dialog box, click the USA role, and then click Edit In the Edit a Cube Role dialog box, click the Dimensions tab Click the Rule column for the Store dimension, and then in the list, click Unrestricted Click the Rule column for the Measures dimension, and then in the list, click Unrestricted ! To deny read access to Store Cost for Canada and Mexico In the Edit a Cube Role dialog box, click the Cells tab In the Cell security policy list, click Advanced An alert appears asking if you want to enforce security on the client Click Yes Cell security requires enforcement on the client Click the Rule column for permission Read, and then in the list, click Custom Click the ellipsis button (…) in the Custom Settings column In the Cube Cell Security dialog box, type No Cost Canada Mexico in the Description box Enter the following in the MDX box: Ancestor(Store.Currentmember, [Store Country]).Name = "USA" OR (Ancestor(Store.Currentmember, [Store Country]).Name "USA" AND Measures.Currentmember.Name "Store Cost") The MDX statement gives users the ability to see USA stores for all measures, and stores that are not in the USA, but not for the Store Cost measure Click Check to validate the MDX syntax, and then click OK BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY Module 15: Implementing Security 31 ! To test the role Click OK to close the Cube Cell Security dialog box Click OK to close the Edit a Cube Role dialog box In the Cube Role Manager dialog box, click Test Role In the Cube Browser dialog box, drag the Store dimension to rows Verify that for the Store Cost measure, USA and its descendants contain numeric values, and all other members of the Store dimension display #N/A Click Close twice BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY 32 Module 15: Implementing Security Review Topic Objective To reinforce module objectives by reviewing key points ! Introducing Analysis Services Security Lead-in ! Understanding Administrator Security ! Securing User Authentication ! Understanding Database Roles ! Implementing Dimension Security ! Managing Cube Roles The review questions cover some of the key concepts taught in the module How you grant someone permission to administer an Analysis Services database? You must add them to the OLAP Administrators group by using Windows 2000 or Windows NT 4.0 user administration When connecting to a cube by using HTTP protocol, how are users authenticated? Users are authenticated with Internet Information Services (IIS) authentication You create a cube role restricting access to a dimension member You test the role by using the Test Role feature, and the role works correctly However, when you access the cube from a client application, the restricted member displays What is a likely cause? The user is probably a member of the OLAP Administrators group Administrator status overrides security defined by a role How does a database role differ from a cube role? A database role cannot define security for private dimensions A database role cannot define cell security A database role cannot define drillthrough, linking, or SQL security BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY Module 15: Implementing Security 33 Can dimension and cell security be applied to virtual cubes? To linked cubes? Yes in both cases When access to a member is denied by using dimension security, is the user prevented from seeing the member name, or just the data associated with the member? The user is unable to see both the member name and the data of the member BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY THIS PAGE INTENTIONALLY LEFT BLANK ... ONLY iv Module 15: Implementing Security Module Strategy Use the following strategy to present this module: ! Introducing Analysis Services Security Explain that Analysis Services allows security. .. PREPARATION PURPOSES ONLY 12 Module 15: Implementing Security Implementing Dimension Security Topic Objective To introduce dimension security Lead-in By using dimension security, you prevent users... Dimension Security ! Key Point Cube Security ! By implementing security in Analysis Services, you limit access to data Administrator Security ! Lead-in Special Options By implementing security