Managing security
So far, we have only discussed how to set up security from the point of view of the developer. However, once the roles have been defined, security will still need to be managed: new users will appear, some users will disappear, and users may change which roles they are members of.
This task is not generally managed by the developers of the Analysis Services cube, it is usually handled by someone else such as a network administrator or a DBA whose job it is to look after the cube once it has gone into production. So, the question is: how should these people add new users to a role? The answer should not be that they need to open SSDT or SQL Management Studio and edit the roles directly. If we have followed our rule to only add Windows groups as role members, it will be possible to add or remove users purely by adding and removing these members from domain groups. This will mean that whoever is managing security will not need administrative access to the cube itself; it will...
