When you want to want to govern the acces your users have to your data in the SSAS cube’s you have the ability to use Roles to set secutiry on all sorts of levels, from cube level to dimension data.
We want our users to get only acces to different parts of the data, like department managers to only data from sales in their department. When setting security on department levels Autoexists take care of the security on other dimensions and present the reports through reporting services to only show data with the department data selected in the query as well so Autoexists can do its task. This makes usermanagement of roles somewhat easier to maintain. But users who have acces to the cube can also connect a cube through Excel and thus bypass the dimension Departments where we have put our secutiry, to counter this you can set secutiry on all dimensions you want the user to see or make sure the user can’t connect to the SSAS cube you don’ t want want to connect him to. My collegue Marc Valk found out you can add a group policy that disables the “get external data”, ” from other sources” tab in excel:
http://www.marcvalk.net/2009/06/gpo-disable-office-ribbon-menu-items/
This makes sure users cannot make a connection themselves but still can open existing connections from e.g. SharePoint.