Understanding Cell-Level Security

About Cell-Level Security

Service Administrators applying cell-level security can deny access to cells that a user would normally have access to due to their regular security. Cell-level security is therefore defined as an exception to the existing member security. For example, a Department Manager requires access to all accounts in their own department, but only a certain account in all other departments. With the usual metadata security the Manager would have access to all accounts across all departments, but using cell-level security enables the Service Administrator to control the intersection of all accounts with the Manager's department and only the specific account in all other departments.

Cell-level security uses rules, similar to valid intersection rules, to deny read or write access to users viewing certain cell intersections anywhere a cell is shown (for example, forms, runtime prompts, Smart View, reports, dashboards, infolets, and so on). When cell-level security rules are applied, users with read access can see the data value in a cell but the cell is not editable. If users are denied read access to a cell, the value displayed in the cell is #noaccess.

If you are a Service Administrator, you can define and assign cell-level security rules to any user or group. Cell-level security doesn't affect you.

Anchor and Nonanchor Dimensions

Cell-level security definitions use anchor and nonanchor dimensions:

  • Anchor dimensions are always required dimensions in the cube that is used in the cell-level security definition.

  • Nonanchor dimensions are either required or not:

    • If a nonanchor dimension is required, any cube that doesn't use that dimension will ignore any cell-level security definitions where that dimension is tagged as required.

    • If a nonanchor dimension isn't required, any cube that doesn't use that dimension will still evaluate any cell-level security definition that includes that dimension as not required and evaluate the definitions of any other dimensions in the definition in use in the cube.

    • By default, nonanchor dimensions aren't required. To make a nonanchor dimension required, click down arrow icon next to the nonanchor dimension, and click Required.

  • By default, the anchor dimension members that are not specified in the rule are included in the security definition, but you can clear this option by clicking down arrow icon next to the anchor dimension, and then clicking Apply to Selected Members Only.