![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(211.20000000000002, 17%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EN%3C/text%3E%3C/svg%3E)
Azure Analysis Services
An Azure service that provides an enterprise-grade analytics engine.
457 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(86.4, 36%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBM%3C/text%3E%3C/svg%3E)
Hello @Neha ,
Sorry, I got mixed up with other Azure services in my previous response.
For Azure analysis services, the permissions of the cubes are handled at the database level. Even if we add owner role assignment using IAM, it only lets users log on to the analysis server. But they can’t be able to see the underlying dbs/models.
When a user spins up analysis services by default, it will add that user to the “analysis services admin” blade. Only this user has full admin permission on the analysis services, including adding models(you can add more users to admin services from the Azure portal or using SSMS). Other users added to the IAM page couldn’t see the models except for this user.
Azure AIM is in relation to the Analysis Service, Not the models created on the Analysis Service.
If we add a user to the role on the cube level, they can use the model(user can be taken out from IAM and still have access to use the models if they are on the roles)
For your question, sorry, it is not possible to have one access in place for all cubes in Azure analysis services(as there are no server-level logins and permissions available for AAS)
But to reduce the manual effort, we can script out roles and users from a model and add that script to your deployment. Whenever a new cube is deployed, you just need to add this additional step to add roles and users to the newly deployed cube. In your case, scripting out is a one-time activity.
These scripts can be easily added to any deployment tools.
Here is the sample TMSL script to add testuser1 and testuser2 to the read and process role on TabularProject2 DB. The script can be executed using XMLA window in SSMS or by using PowerShell.
{
"create": {
"parentObject": {
"database": "TabularProject2"
},
"role": {
"name": "Read and Process Role ",
"modelPermission": "readandProcess",
"members": [
{
"memberName": "testuser1@contoso.com",
"identityProvider": "AzureAD"
},
{
"memberName": "testuser2@contoso.com",
"identityProvider": "AzureAD"
}
]
}
}
}
Please refer to the below documentation for more details about managing roles and users.
https://learn.microsoft.com/en-us/azure/analysis-services/tutorials/analysis-services-tutorial-roles
https://learn.microsoft.com/en-us/azure/analysis-services/analysis-services-database-users
and please let us know if you have any further questions.
- Please don't forget to click on
or upvote 
button whenever the information provided helps you. Original posters help the community find answers faster by identifying the correct answer. Here is how - Want a reminder to come back and check responses? Here is how to subscribe to a notification
- If you are interested in joining the VM program and help shape the future of Q&A: Here is how you can be part of Q&A Volunteer Moderators