Dynamic Security white paper

Analysis Services 1 Minute
From Richard Tkachuk’s site, a new paper on setting up simple dynamic security in AS2005:
…although it doesn’t mention any of the more complex ways of implementing dynamic security, such as calling a sproc to return the allowed member set or persisting the permissions inside a measure group. Incidentally there was an interesting thread on the MSDN Forum recently that had some interesting comparisons between how these two approaches performed:
 
To be honest I’ve gone off the idea of dynamic security because of the performance implications – it stops you making full use of caching. It would be interesting to see a comparison of query performance in complex security scenarios between dynamic security and creating individual roles.

Published by Chris Webb

My name is Chris Webb, and I work on the Fabric CAT team at Microsoft. I blog about Power BI, Power Query, SQL Server Analysis Services, Azure Analysis Services and Excel.

Published

5 thoughts on “Dynamic Security white paper

  1. > I\’ve gone off the idea of dynamic security because of the performance implications – it stops you making full use of caching
    This is interesting statement. I wonder why you singled out dynamic security, because any security stops you making full use of caching. Dynamic aspect of security is for the ease-of-management.

    Reply

  2. Yes, but isn\’t it true that since dynamic security uses the UserName() function it stops the sharing of formula engine caches between users, unlike regular security roles?

    Reply

  3. There is nothing magic about UserName function (no parethesis). The caches are not shared, because different roles have different data. Therefore whether you create multiple roles, or just one using UserName function – the FE caches won\’t be shared between roles/users in either case.

    Reply

  4. Sorry, I\’ve been really bad at explaining myself… What I\’ve been meaning to say all along but not got round to saying is that in any large scale security implementation there are going to be multiple users who share the same access rights. In this case, using dynamic security, users who had the same rights would not be able to share FE caches whereas if they had been members of the same non-dynamic role they would have been able to. Isn\’t that right?

    Reply

  5. I agree – it would be nice if someone stepped up to a "formal study" on various security options like:
     
    – Dynamic Security
    – Dynamic security with sproc
    – "Regular" dimensional role security
    – also HTTP access overhead
     

    Reply

Leave a Reply to ChrisCancel reply