FIX: Information disclosure when you create a session cube by using dynamic role-based security in SQL Server 2012 or SQL Server 2014

Gjelder: SQL Server 2012 Business IntelligenceSQL Server 2012 Analysis ServicesSQL Server 2014 Developer

Symptoms


Consider the following scenario:
  • You implement dynamic security for an Analysis Services database in Microsoft SQL Server 2012 or SQL Server 2014.
  • You add a logon ID (domain\username) to a database role that has denied access to a specific dimension member.
  • You connect to the database by specifying the given logon ID and the database role in the connection string.
  • You create a session cube based on an existing cube that you have read access to.
In this scenario, when you execute a query to retrieve data from the session cube, the result may contain data that you do not have permission to access.

Status


Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.