At a minimum, three mandatory security roles must be set up for the Teradata solution. Your solution installation documentation explains how these are created.
- TBI_SERVICE
This role grants access to all fact and dimension tables on the server for the MDX Service Account. The cube administrator uses Teradata Schema Workbench to restrict this broad access for each cube and cube dimension. See Setting Up an MDX Service Account and OLAP Connection.
The DBA must create one user associated with the TBI_SERVICE role, such as tbiservice, and keep the password confidential. This is called the Teradata BI Service Account. The username and password are entered one time into the Teradata Schema Workbench, which puts them in the Teradata BI Model Repository. The username and password are transmitted to and from the Teradata BI Model Repository in encrypted form and are kept in the repository in encrypted form.
- TBI_WORKBENCH
This role grants schema publishing rights to the Teradata BI Model Repository. Without this right, a user does not have privileges to load or publish from the Teradata BI Model Repository. This role enables cube administrators to define cube schemas and set security on cubes and cube dimensions in Teradata Schema Workbench. All cube administrators should be assigned this Teradata Database security role.
- TBI_USER
This role grants individual user access rights to the Teradata BI Model Repository. Any user intending to use Teradata OLAP Connector must be granted this role.
BI client application users can log in with their regular database account and password to make initial MS Excel connection. The cube administrator must ensure that these database accounts have the TBI_USER role.