easyROLES the fastest way to set up SSAS roles

Users guide

Here you will find information on how you can use easyROLES for quickest and easiest SSAS role deployment. This user guide refers to the latest release of role manager. If you are currently not using the latest version we strongly encourage you to upgrade.

Getting started

With easyROLES you manage Analysis Services security roles via a web browser, so there is no need to install any specific software on the client computers once you have the server-side up and running. (You can find server component installation guide here).

easyROLES is functional with any browser that supports Windows authentication and delegation. Below you will find the browsers we tested and specific configuration instructions for each.

Microsoft Internet Explorer versions 10 and newer

Make sure that in Internet Options, Advanced tab Enable Integrated Windows Authentication check box is checked in. Add the web server URL to the trusted site list (use fully qualified domain name).

Google Chrome

In order to enable windows authentication and delegation in Google Chrome you need to start the browser with additional command line parameters. Edit the properties for your Chrome shortcut so that it contains these arguments:

 –args –auth-server-whitelist=”*domain” –auth-negotiate-delegate-whitelist=”*domain”


In order to enable windows authentication and delegation in Firefox you need to add the web server URL (fully qualified as well) to the network.negotiate-auth.delegation-uris and network.negotiate-auth.trusted-uris

You can find these settings by searching among other configuration options. Type about:cofig into the URL bar of Firefox to get to them.

Server library

In the setup page you should add all of the SSAS servers which you want to be managed by easyROLES. In our example we will be using Development, Test and Production servers.

Settings page of easyROLES SSAS security manager

Server Alias column refers to a user friendly name of the server which will be displayed within the tool. Alias needs to be unique for every server and can not be used twice.

Full Path column is where you type in the fully qualified domain names of your SSAS server instances. If your server is not running on the default instance, don’t forget to add it after the server name. In such case your Full Path would look similar to this:


Once you have all of your servers listed in the library, click the green Save button and your easyROLES is ready to manage SSAS security!

Managing roles

You manage SSAS roles in the main page of the tool called Manage.

The first thing to do is to choose a server. When a server is picked, an additional dropdown appears allowing to pick a database which you want to manage. If the selected database contains only one cube, that cube is chosen by default, in cases when you have more than one cube within a database, you need to specify which cube you want to secure. Last thing to tell the tool is which role playing dimension you want to work with.

Selecting SSAS server, database, cube and dimension to be secured

In the above screenshot you can see the almost whole sequence after the choices have been made and the drop-down menu for Dimension choice is open. Note that Product and Due Date dimension names have a lock icon next to them. This means that the two dimensions already have security data saved for them within easyROLES.

After all the selections are made, you will be provided with a data grid for role management and additional options window.

Additional options

You have these options for customization when creating roles with easyROLES

Here you are able to specify whether visual totals should be applied to the security specification or not. They are set to be on by default that way making sure that no user can see summaries above the level on which security is set.

If you want to have cross-dimensional security based on two role-playing dimensions, you should exclude the members of that dimension here. Choose it from the drop-down menu.

The last option is to trigger AD validation, if for some reason you would wish to do so. Note that you must be sure the domain and user ID/group specified are correct and can not use email to add users when AD validation is off.

Setting up roles

Let the fun begin! Now you get to feel the real power of easyROLES. You got the list from your business project manager with all the user emails and members to which they should be secured to, right?  It should look similar to this:

An example of what role security data set could look like

If you have such a list, containing user emails or Active Directory user IDs or Active Directory Groups that should be linked to Members in this dimension, just paste the list from Excel into easyRoles. Mark the cell in the first row and first column:

empty SSAS role grid

And press Ctrl + V to Paste. Email addresses, User IDs, Groups and Dimension members are then validated towards AD and the SSAS cube that you are working with. All invalid items are marked in red afterwards.

There are three options for you to use while specifying the user information. It can either be user name, the users email or an AD group to which user belongs. In other words, Component Manager in the table above could have been specified as:


All of the above would be valid member specifications. Email would automatically be converted into a user ID as that is ultimately the value needed in SSAS role specification.

Member caption is used to specify the secured member.

User/group validation

Users and groups are validated live towards Active Directory. Any item that is marked in red was not found when querying AD. You need to edit that item by either double-clicking it or navigating to it with the marker and pressing F2 (just like in Excel).

It is possible to save your data set with the invalid items in it, but the invalid rows be ignored while applying security to the cube.

Member validation

Members are validated in a similar fashion to the users and groups. Here we are adding some extra flexibility when it comes to correcting misspelled and erroneous items. When a member is marked in red it could be so that an exact match was not found at all or that member caption is not unique. In these situations we need to clarify which member shall be used for securing the cube. By clicking on a cell containing an invalid member you open a window listing all members that are duplicates or just similar to your original string:

Validating members before they are applied to cube security

Choose the value you were really after and click on it. That value is then applied to the list and you can see the member unique name next to the valid member as a means of showing that it is really right. Here is an example of ‘Derail’ which was validated to be a Model Name ‘Rear Derailleur’

This is how a member looks after being validated

When your list of securable items is complete, save it. If you are working with cross-dimensional security, make sure all of the users or groups that were secured in this dimension are also secured in the other role-playing dimension.

Apply security settings to the cube

Once all is verified and saved, the only thing left to do is to click the green Apply button to upload the roles into your cube. You will see a confirmation window listing out all the role/member combinations that will be inserted into the cube. Confirm by clicking the green ‘Yes, update the roles’ button. Note, that at this point all existing roles will be overwritten. You can avoid complete overwrite by adding ‘sys_’ prefix (without the quotations) to the names of the roles which you want to keep. We recommend using this prefix when you need to have custom advanced roles together with mass-produced roles from easyROLES.


These are the latest headlines from our blog at easyroles.com. Keep an eye out for version updates and other role-related news here.

Tweet about this on TwitterShare on LinkedInShare on Google+Share on FacebookShare on StumbleUponEmail this to someone

Comments are closed.

We want you to be comfortable with your purchase and therefore offer 30 day 100% money back guarantee.