Skip to main content

Dimension Security

Dimension Security lets you control access to specific dimension members, such as departments, products, or other hierarchies, by security group.

You can create Dimension Security Profiles that contain rules to allow or deny access to selected dimension members. These profiles can then be applied either to models or to individual dimension filters on a dashboard.

Model-Level Security Profiles

A model can have two profiles attached:

  • a default read profile, which applies to all model queries against that model unless the query explicitly specifies a profile
  • a default write profile, which applies to all writes to the model

If the write profile is NULL, the read profile also applies to writes.

If the read profile is NULL, then there is no default model-level security.

Dimension-Level Security Profiles

Dimensions can also have a default security profile.

This profile applies to all dimension queries for that dimension unless:

  • the query explicitly specifies a profile, or
  • the query references a model

If a dimension query references a model and does not explicitly specify a profile, the system uses the model’s default read profile.

Default Access Behavior

If security is enabled for a dimension, meaning there is at least one security rule in the profile for that dimension, users have no access by default to any members in that dimension unless access is explicitly granted through the security profile.

Rule Processing

Dimension Security is evaluated sequentially. The system processes the rules in the order they appear and applies them one by one.

Because users have no access by default, there is generally no value in starting with a Deny rule.