Ok, but [SUB::SAS.IdentityGroups] is exactly the part we need. That's how authorization will be defined in our metadata. Each user is part of one or more groups, and each group has access to a certain part of the data. By the way, we have no descendants in our authorization dimension. Example: Hospital A Hospital B Hospital C Person 1 may have access to the data of one hospital, Hospital B for instance. But a second person may have access to 2 hospitals, B and C. The first person only gets group B. The second person gets groups B and C. In the above example we could add each group to the authorization of the cube, and then assign a member to each group. But that becomes very time consuming when there are 50 or even 100 groups. In that case it would be much easier if you could set the authorization on SASUSER for instance, using the identity groups. The only thing we could come up with is that [SUB::SAS.IdentityGroups] resolves into a list of groups and that [Auth_dim].[All Auth_dim].[SUB::SAS.IdentityGroups] is incorrect syntax when there are more answers than one.
... View more