You can divide users into a few groups. This is the case, for example, if the authorizations need to be checked only on the level of the InfoCube. You can then, for example, create roles that allow you to run queries from the current InfoCube(s). You can then assign one or more roles to the user.

The administration of the authorizations, rolls, and user assignments can occur here completely along with the role maintenance (transaction PFCG). The work is, in comparison, quite low. The assignment of roles to users can also occur in the maintenance of the user (SU01) or that of the central user administration.