How to provide read or browse access to user on all models/cube in specific Analysis Service

March 21, 2023 0 By Bhargava

For Azure analysis services, the permissions of the cubes are handled at the database level. Even if we add owner role assignment using IAM, it only lets users log on to the analysis server. But they can’t be able to see the underlying dbs/models.
When a user spins up analysis services by default, it will add that user to the “analysis services admin” blade. Only this user has full admin permission on the analysis services, including adding models(you can add more users to admin services from the Azure portal or using SSMS). Other users added to the IAM page couldn’t see the models except for this user.

Azure AIM is in relation to the Analysis Service, Not the models created on the Analysis Service.

If we add a user to the role on the cube level, they can use the model(user can be taken out from IAM and still have access to use the models if they are on the roles)

It is not possible to have one access in place for all cubes in Azure analysis services(as there are no server-level logins and permissions available for AAS)
But to reduce the manual effort, we can script out roles and users from a model and add that script to your deployment. Whenever a new cube is deployed, you just need to add this additional step to add roles and users to the newly deployed cube. In your case, scripting out is a one-time activity.
These scripts can be easily added to any deployment tools.
Here is the sample TMSL script to add testuser1 and testuser2 to the read and process role on TabularProject2 DB. The script can be executed using XMLA window in SSMS or by using PowerShell.Copy

{  
  "create": {  
    "parentObject": {  
      "database": "TabularProject2"  
    },  
    "role": {  
      "name": "Read and Process Role ",  
      "modelPermission": "readandProcess",  
      "members": [  
        {  
          "memberName": "testuser1@contoso.com",  
          "identityProvider": "AzureAD"  
        },  
        {  
          "memberName": "testuser2@contoso.com",  
          "identityProvider": "AzureAD"  
        }  
      ]  
    }  
  }  
}

Refer to the below documentation for more details about managing roles and users.
https://learn.microsoft.com/en-us/azure/analysis-services/tutorials/analysis-services-tutorial-roles
https://learn.microsoft.com/en-us/azure/analysis-services/analysis-services-database-users

CategoryAzure Synapse Analytics
TagsAzure Analysis Services

Leave a Reply

Your email address will not be published.