Jens Vestergaard walks through permission scope in SQL Server Analysis Services:
What this post will not be about: The how to setup basic dimension security in SSAS nor How do you manage Security.
In this post, I will highlight the difference between standard NTFS permission scope and the way SSAS handles Allowed and Denied sets when dealing with multiple roles. So if you define multiple roles on your solution, you should be on the lookout, because SSAS has some surprises.
It’s interesting that allowed permissions take precedent over denied permissions, as that’s not the norm for either NTFS or the SQL Server database engine.