Home > Azure > Analysis Services > Manage Permissions

Manage Permissions in Azure Analysis Services

Understanding Roles and Permissions

Azure Analysis Services (AAS) provides robust mechanisms for managing access to your data models. This document outlines how to effectively manage permissions using roles and user assignments.

Roles Overview

Roles are the primary way to grant access to data in Azure Analysis Services. By assigning users or groups to specific roles, you can control what data they can see and what actions they can perform. AAS supports two main types of roles:

  • Administrator Role: Members of this role have full administrative control over the Azure Analysis Services server. They can manage models, databases, roles, and server settings.
  • Database Roles: These roles are defined within individual Analysis Services databases. They grant permissions to specific objects within a database, such as tables, columns, and rows.

Creating and Managing Roles

You can manage roles using several tools:

  • Azure Portal: The Azure portal provides a user-friendly interface for managing server-level administrator roles.
  • SQL Server Management Studio (SSMS): SSMS is the recommended tool for creating and managing database roles.
  • Tabular Editor: A powerful third-party tool for managing Analysis Services models, including roles and permissions.
  • PowerShell: For scripting and automation, you can use PowerShell cmdlets.

Creating a Database Role in SSMS

  1. Connect to your Azure Analysis Services server instance using SSMS.
  2. In Object Explorer, expand the server node, then expand the Databases node.
  3. Right-click on the database for which you want to create a role and select New Role.
  4. In the Role Properties dialog:
    • Enter a Role Name.
    • Select Membership to add users or groups.
    • Configure Permissions by selecting the checkboxes for desired access levels (e.g., Read, Read Definition, Read Contributor).
    • Define Cell Data Access and Row-Level Security (if applicable).
  5. Click OK to create the role.

Assigning Users and Groups to Roles

Server Administrator Role

To assign server administrators:

  1. Navigate to your Azure Analysis Services resource in the Azure portal.
  2. In the left-hand menu, under Settings, click Administrators.
  3. Click Add and enter the Azure Active Directory (Azure AD) user or group name.
  4. Click OK.

Database Roles

To assign users or groups to database roles:

  1. In SSMS, right-click on the desired database role and select Properties.
  2. Go to the Membership page.
  3. Click Add... and enter the Azure AD user or group name.
  4. Click OK.
Important: Use Azure Active Directory (Azure AD) groups whenever possible for easier management. This allows you to manage permissions by updating group membership in Azure AD, rather than directly on the Analysis Services resource.

Permission Types

When defining database roles, you can grant the following permissions:

  • Read: Allows users to query data and metadata. This is the minimum permission required for users to interact with the data model.
  • Read Definition: Allows users to read metadata (schema) but not query data.
  • Read Contributor: Allows users to read data, metadata, and deploy changes to the database.
  • Administrator: This permission is typically reserved for server administrators and grants full control over the database.

Row-Level Security

For granular data access control, you can implement row-level security (RLS) using filters on tables within your data model. This is configured per database role and ensures users only see the rows of data they are authorized to view.

Implementing Row-Level Security

  1. In SSMS, open the role properties for the desired database role.
  2. Navigate to the Row-Level Security section.
  3. Select the table to which you want to apply a filter.
  4. Enter a DAX expression that defines the filter condition. For example, to filter by salesperson's region: [Region] = USERPRINCIPALNAME() or use a lookup table.
Tip: Thoroughly test your row-level security configurations to ensure they are functioning as expected and not inadvertently restricting access or exposing sensitive data.

Best Practices

  • Principle of Least Privilege: Grant only the necessary permissions to users and groups.
  • Use Azure AD Groups: Simplify permission management by assigning permissions to Azure AD groups.
  • Regularly Review Permissions: Periodically audit user and group access to ensure it remains appropriate.
  • Document Your Roles: Maintain clear documentation of your roles, their purposes, and the permissions they grant.
  • Use a Staging Environment: Test permission changes in a non-production environment before applying them to production.