SSAS - tabular | Security exercise | Apply security roles to restrict model access in various ways

This exercise is provided to allow potential course delegates to choose the correct Wise Owl Microsoft training course, and may not be reproduced in whole or in part in any format without the prior written consent of Wise Owl.

Software ==> SSAS - tabular  (30 exercises)
Version ==> SSAS 2012 and later
Topic ==> Security  (2 exercises)
Level ==> Harder than average
Subject ==> SSAS training
Before you can do this exercise, you'll need to download and unzip this file (if you have any problems doing this, click here for help).

You need a minimum screen resolution of about 700 pixels width to see our exercises. This is because they contain diagrams and tables which would not be viewable easily on a mobile phone or small laptop. Please use a larger tablet, notebook or desktop computer, or change your screen resolution settings.

If you haven't already done so, run the SQL script referenced in other SSAS Tabular exercises to generate a database (not for commercial use or copying) called MAM

Create a new project and model, and import the following tables: tblAnimal, tblProduct, tblSpecies, tblTransaction.  Create a measure in the transactions table to show total quantity sold.

Create a role called Penguins only, with a row filter which says that you should only be able to see data from the Animal table when the following conditions hold:

Condition Notes
Animal is a penguin The AnimalName column for the query context is Penguin
CustomData is set The CustomData information in the connection string passed in is set to Penguin lovers.

Analyse your model in Excel using the Penguins only role, to get the following pivot table:

Empty pivot table

This is showing quantity sold by product, but the role isn't allowing you to see any data.


Now amend the connection string in Excel to include the following phrase:

Connection string amended

The text to add to your connection string (the rest of the string will be different, of course, on your machine).

Refresh your pivot table if necessary to get:

Penguins in pivot table

You should now be able to see your penguins!


Now go into Management Studio and run the script called Create table of authorities.sql from the folder at the top of this exercise.  This should create the following table of authorities:

Table of authorities

A table showing which roles have access to which data.


Import this table into your data model.

Create two roles with read access to data, and set row filters for the Animal table as follows:

Role Access to animals table
BG If you can find a row in the tblAuthority table where the Person is Bear Grylls and the Animal matches the AnimalName for the current query context, return TRUE(); otherwise, return FALSE().
Others The same logic, but this time looking for Everyone else.

Analyse your model in Excel using the BG role - you should see only the following animals:

The Bear Grylls animals

The animals made visible by the BG role.


Manually edit the connection string in Excel to use the Others role, not the BG one, to see:

The final pivot table

The data for cute and cuddly (or at least, safe) animals.


Optionally, save this workbook as Most deadly, then close it and your model down. 

You can unzip this file to see the answers to this exercise, although please remember this is for your personal use only.
This page has 0 threads Add post