locked
data source authentication for monitoring server RRS feed

  • Question

  • Hi

     

    As I read, by default Monitoring server uses its app pool identity to connect to a data source.  What is a non-default way?  Are there any settings I can modify on PPS side to make every connection under a user's identity?  What options are there for me (on PPS, Analysis Services side, etc.) to limit different data sources availability depending on a user? 

    Monday, February 11, 2008 8:02 AM

Answers

  • Hi Varya

     

    To enable user specific security you need to change the Bpm.ConnectionPerUser setting in your monitoring web.config file to true (or add the entry <add key="Bpm.ConnectionPerUser" value="True" /> to the appsettings section if it doesn't exist). 

     

    This allows the users details to be passed through to the data source and so will allow you to control what data specific users can see via AS roles (Or SQL security etc)

     

    However if you are running a distributed environment (data sources on any other server than your PPSM server) you'll need to implement Kereberos security to get this to work which can be a fiddly job to say the least.

     

    There's lot of info out there abot how to do this but this is one of the better ones

     

    http://download.microsoft.com/download/5/9/c/59c349f5-f0c8-4b9e-9f70-dbc5f2a8c330/Troubleshooting_Kerberos_Errors.DOC

     

    Hope this helps

     

    Tim

     

    Monday, February 11, 2008 11:14 AM

All replies

  • Hi Varya

     

    To enable user specific security you need to change the Bpm.ConnectionPerUser setting in your monitoring web.config file to true (or add the entry <add key="Bpm.ConnectionPerUser" value="True" /> to the appsettings section if it doesn't exist). 

     

    This allows the users details to be passed through to the data source and so will allow you to control what data specific users can see via AS roles (Or SQL security etc)

     

    However if you are running a distributed environment (data sources on any other server than your PPSM server) you'll need to implement Kereberos security to get this to work which can be a fiddly job to say the least.

     

    There's lot of info out there abot how to do this but this is one of the better ones

     

    http://download.microsoft.com/download/5/9/c/59c349f5-f0c8-4b9e-9f70-dbc5f2a8c330/Troubleshooting_Kerberos_Errors.DOC

     

    Hope this helps

     

    Tim

     

    Monday, February 11, 2008 11:14 AM
  • Hi Tim,

     

    Did you mean the web.config file that's located in %installation directory%Microsoft Office PerformancePoint Server\3.0\Monitoring\PPSMonitoring_1\WebService path?

     

    And do I understand it right that setting Bpm.ConnectionPerUser to true in a distributed environment won't do any user specific security if I use NTLM?

     

    One more question: if I enable user specific security, will it work in the way that when a user opens a dashboard on SharePoint, the only check for service identity is performed in AS/SQL/other data sources?  Or is there a way for the PPSM to check in this scenario if the user is a valid PPS user, i.e. to do some intermediate check?

    Tuesday, February 12, 2008 7:48 AM
  • Hi Varya

     

    Yes that should be the location for the web.config - you can verify this by using IIS and checking the Local Path property of the webservice virtual folder under the PPS Monitoring Web site.

     

    If you set the BPM.ConnectionPerUser property to true in a distributed NTLM envrironment then the user will be denied access as the "Anonymous" user's details will get passed through to the data source.

     

    Final question - there is no built in way to check that a user is a valid PPSM user that i can think of.  You could of course secure your sharepoint pages to only be viewed by users who are member of a PPSM users Active directory group (for example).  From a data point of view if the user has access via cube roles then if they have excel (and the relevant ports are opened) they will be able to access the data anyway

     

    Hope I've understood your questions correctly?

     

    Tim

    Tuesday, February 12, 2008 9:38 AM
  • Yes, you understood my questions right.  Thanks a lot for your help!

    Tuesday, February 12, 2008 11:51 PM
  • Hi Varya

     

    No problem.  Just to add the PPS team have just released a great document which covers this and lots of other good stuff:

     

    http://blogs.msdn.com/performancepoint/archive/2008/02/12/monitoring-server-connectivity-document.aspx

     

    Tim

     

     

     

     

     

    Wednesday, February 13, 2008 9:14 AM
  • Hi Tim,

     

    I'm asking for your help once more.  The blog article http://blogs.msdn.com/performancepoint/archive/2007/07/12/security-considerations-for-monitoring-server.aspx says about yet another way of connecting to data sources: the use of the CustomData field on an Analysis Services connection string. 

     

    Does this connection string work for accessing data sources only in Dashboard Designer?  I mean the following:

     

    1) I have an AS db where DOMAIN\User1 has necessary permissions

    2) I create an AS data source in Dashboard Designer using the custom connection string with User1 credentials.

    3) There is a SharePoint site running under DOMAIN\User2 identity.

    4) I create a dashboard containing elements using the data source from step 2, I deploy the dashboard to SharePoint.

     

    When somebody tries to view the dashboard on SharePoint will the connection to data source be made using User1 or User2 identity?

    Thursday, February 14, 2008 12:40 AM
  •  

    Hi again Varya

     

    Nick B has done (another!) great blog on this:

     

    http://nickbarclay.blogspot.com/2008/01/pps-data-connection-security-with.html

     

    I've not implemented myself but from what I've read I think it may meet your requirement but with a little more work on the query design side (Feel free to dive in here Nick if you're reading!)

     

    Hope this is helpful

     

    Tim

    Thursday, February 14, 2008 8:58 AM