ProClarity Analytics Server execution account and data security. RRS feed

  • Question



    I have the following user requirement.

    There are more than 50 users who like to access sales data. Each user is tied to a region. So only a relevant user should be able to view the sales figures.There are more than 50 regions, one user for each region.

    There are lots of dimensions and measure groups in the cube therefore the SSAS 2005 'Role' feature is not easily manageble.

    The alternate solution I was thinking about is as follows:

    (1)Create a breifing book with all the 'regions' in the slicer.

    (2) Publish the breifing book to PAS. Access the PAS report through a ASP.Net web page.

    (3) As user logins are mapped to 'region' we can call the PAS report by passing the 'region' parameter in the URL.

    Till here it looks okay; but I don't want to add any user to SSAS 'Role'. I want the MDX query to be executed, from PAS to SSAS 2005, as a different user (execution account), an account that has 'read' rights on the sales cube. As soon as a user logs in, the login id is tracked and the approriate 'region' is passed to PAS as a parameter then the MDX query executes in SSAS 2005. I want this MDX query to be executed as a user with 'read' access only. Is there a way to define the execution in PAS, like Global.asa, Global.asax? Thanks for your help.


    Monday, October 5, 2009 6:50 AM

All replies

  • Ben's response :

    On the surface though, it would appear you could enable your IIS authentication for anonymous and add a service account with read access to the cube as the anonymous account.  All queries to SSAS would then be run under that account and you could parameterize as necessary.  I would however caution you that URL parameters are not a suggested means of security at the data level, as it would be quite possible for a user to capture the URL being sent to the server, and then modify it to show data they should not be allowed to see.

    Tuesday, October 6, 2009 6:33 AM
  • Hi Ben,

    Many thanks for the response. It helps a lot. I have a few questions related to 'anonymous' authentication.

    Currently, the 'Anonymous access' is not checked on IIS. 'Integrated Windows authentication' is checked. Could you please explain in brief the security impact of checking 'Anonymous access'? Can any user on the network access the cube data from the web page or access any breifing book publsihed to PAS? Can I have both, Windows Authentication and Anonymous Access, as I need to track the user login based on which the region data would be displayed from the cube?   Using .Net I can encrypt the URL and the parameters, so it would remove one more security loophole.

    Best Regards

    Tuesday, October 6, 2009 6:49 AM