Complex Role manager in ssas tabular cube?

I am puzzled about the Role Manager in Visual Studio when working with SSAS tabular cubes:

Is my understanding correct?

When a user logs to the cube, the “security” will check each role and see if the user is in that role… if the user is in the role; it gives the said access.

If the user is in multiple roles, it will give some sort UNION between all of them, so the user can see as much as possible , correct?

Is this documented anywhere?

Ps: is there also documentation in cases where you force less access (like having a ‘users’ table and putting that filter in a .pbix only on a specific page?

Solution 1:

From https://docs.microsoft.com/en-us/analysis-services/tabular-models/roles-ssas-tabular?view=asallproducts-allversions#permissions

"A group or user can be a member of any number of roles, each role with a different permission. When a user is a member of multiple roles, the permissions defined for each role are cumulative. For example, if a user is a member of a role with the Read permission, and also a member of a role with None permission, that user will have Read permissions."

One important result of this in SSAS, is that Server Admins can read everything always.

Also don't confuse access from filters. Access of "None" means I cannot ever access the data. Access of "Read" plus a page filter will not prevent me from accessing the data from Q+A or Analyze in Excel. Use filters in roles for security. A security table used in a filter in a role will prevent access. If the filter is just on the visual or page, the data is not secure, just not shown.