locked
PPS security implementation RRS feed

  • Question

  • Hi Friends,

    I have one question regarding the security implementation at PPS level. i have created roles in my SSAS database and assign users to those roles.

    but when a user connect PPS than PPS connect to the SSAS with application pool identity not with the user name. hence he will not able to data according to his roles in the cube.

    Should i change the directory security from windows authentication to some other level or what.

    Please suggest the approriate mathod to implement this.

    Thanks in advance.


    lntinfotech
    Wednesday, February 4, 2009 2:30 PM

Answers

  • Yes, out of the box PPS uses the application pool identity to access data sources.  
    I believe another option for security is CustomData security.  I have never implemented it, nor had to troubleshoot it but here is a good blog written on it:

    http://nickbarclay.blogspot.com/2008/01/pps-data-connection-security-with.html


    Aseem Nayar - MSFT
    This posting is provided "AS IS" with no warranties, and confers no rights
    • Marked as answer by Rahul_DWH Friday, February 6, 2009 8:24 AM
    • Edited by AseemN Friday, February 6, 2009 3:26 PM fix spelling
    Thursday, February 5, 2009 4:23 PM

All replies

  • Hello,

    Are you in a distributed enviornment or are you in standalone?  If you are a standalone then you need to change the Bpm.ServerConnectionPerUser setting in your web.config files for SharePoint, Preview, and the Monitoring Webserivce to = True. 

    If you are in a distriubted enviornment then you would need to change the setting to true and then implement Kerberos:

    http://technet.microsoft.com/en-us/library/bb838742.aspx


    Aseem Nayar - MSFT

    This posting is provided "AS IS" with no warranties, and confers no rights
    Wednesday, February 4, 2009 3:21 PM
  • Thanks for your reply Aseem.
    I have the whole set up (SSAS,PPS,SharePoint) on distributed environment.
    Is there any other way to implement security other than Kerberos ?
    If not then is this only because a web application (PPS) always use application pool identity to log in other resource and that can only overwritten by Kerberos ?

    Please advise.
    lntinfotech
    Thursday, February 5, 2009 11:55 AM
  • Yes, out of the box PPS uses the application pool identity to access data sources.  
    I believe another option for security is CustomData security.  I have never implemented it, nor had to troubleshoot it but here is a good blog written on it:

    http://nickbarclay.blogspot.com/2008/01/pps-data-connection-security-with.html


    Aseem Nayar - MSFT
    This posting is provided "AS IS" with no warranties, and confers no rights
    • Marked as answer by Rahul_DWH Friday, February 6, 2009 8:24 AM
    • Edited by AseemN Friday, February 6, 2009 3:26 PM fix spelling
    Thursday, February 5, 2009 4:23 PM
  • Thank you very much aseem for such a precise and useful information.
    lntinfotech
    Friday, February 6, 2009 8:25 AM