locked
Analysis Services 2005 Security Role and ProClarity not working RRS feed

  • Question

  •  

    Hi All,

                I have created a Role 'Test Role' in SSAS 2005 which allows members of the employee dimension to view their own data only.

     

    Example: Employee 'A' will be able to view their own sales figures. Employee 'A' cannot view the data of employee 'B'; but manager 'X' of employee 'A'  and employee 'B' will be able to view data of both 'A' and 'B'.

     

    Here is the problem: When I am browsing the cube using the SSAS 2005 cube browser, after changing the user to the 'Test Role' by clicking on the 'change user' icon on the browser window,  the security limitation assigned to the role works fine; BUT when I am browsing the cube using ProClarity Desktop the security feature of restricting the users doesn't work.

     

    How can I implement the 'Role' to be effective on ProClarity also; and I would like to have the 'test role' as the default security context when I am usign the SSAS 2005 browser.

     

    Please help.

     

    Thanks

    Bidyut

     

    Thursday, September 4, 2008 9:46 AM

Answers

  • If you tried to test your role by adding your username to the role, ProClarity sends the Username to SSAS and the server will determine which roles the ID belongs to.  If it belongs to multiple roles, and one of those is the Admin role, then the Admin rights trump all other rights.  I'm guessing that is what may be happening in this case.  The SSAS browser can ignore your Admin rights to show you how the Role would behave.  A typical OLAP client cannot do that. 

     

    In order to properly test a role in ProClarity, you will need to have a Windows Account that is not a part of any other role.  When you open up the ProClarity Desktop, you will need to go to the Connect Dialog off of the Open Cube Dialog and click the Advanced button in order to type in your Windows Account that you want to test (you will need to know the password as well).  I use this all the time to test my cube security and it works great.  However, it will not work with an account that also has Admin rights on the cube.

     

    Monday, September 15, 2008 5:26 PM

All replies

  • Hello Bidyut,

     

    You will need to ensure that your Admin Tool server's properties are set to 'Cubes use OLAP security".  This option can be found by right clicking your server name and choosing Properties / Logging and Security.  ProClarity should honor whatever roles you have established within your cubes.  You might also verify these test users are not members of multiple roles.

     

    And regarding your last question; I'm not aware of any way to default to a particular role for testing in SSMS.

     

    Thanks,

    Amanda

     

    Thursday, September 4, 2008 9:53 PM
  • You'll also want to be sure the test user is the user actually hitting the cube (SSAS profiler can tell you that), and that you don't have them in a role that would grant them more permissions...such as an admin role.
    Thursday, September 4, 2008 11:52 PM
  • Hi Amanda,

     

                      Thank you for your response.  On the the ProClarity Admin tool 'Properties ->Logging and Security' is already set to 'Cubes use OLAP Security'. I just have one role in the project, the 'test role' so the there should be no conflict.

     

    As per Ben's suggestions I ran the Profiler.

     

    This is what the Profiler shows under different test conditions:

     

    (1) When browsing the cube using ProClarity,Profiler 'Event Class' is 'Session Initialize' and 'Text Data' is ' *, Test Role'.

    (2) SSAS 2005 browser and security context is 'Current User', Profiler 'Event Class' is 'Session Initialize' and 'Text Data' is ' *, Test Role'.

     

    (3) SSAS 2005 browser and security context is Role->'Test Role',  Profiler 'Event Class' is 'Session Initialize' and 'Text Data' is only 'Test Role', the ' * ' disppears. Only the security context 'Role->Test Role' gives me the desired cube browsing functionality.

     

    Does the '*,Test Role' mean that the 'Current User' and  the'Test Role', both are being used?

     

    If so, then how can I restrict the browsing the cube using the 'Test Role' only?

     

    Ben thank you for suggesting to use the Profiler ( I had stopped using it).

     

    Regards

    Bidyut

     

     

     

    Friday, September 5, 2008 2:33 AM
  • In the trace, you'll want to take a look at the "NTUserName" column.  Make sure that's what you expect it to be.  Also, there must be an admin role of some kind (even if it's just the built-in local admin role on the machine) for the SSAS instance, so be sure that user isn't included in that role somehow.

     

    Monday, September 8, 2008 11:24 PM
  • If you tried to test your role by adding your username to the role, ProClarity sends the Username to SSAS and the server will determine which roles the ID belongs to.  If it belongs to multiple roles, and one of those is the Admin role, then the Admin rights trump all other rights.  I'm guessing that is what may be happening in this case.  The SSAS browser can ignore your Admin rights to show you how the Role would behave.  A typical OLAP client cannot do that. 

     

    In order to properly test a role in ProClarity, you will need to have a Windows Account that is not a part of any other role.  When you open up the ProClarity Desktop, you will need to go to the Connect Dialog off of the Open Cube Dialog and click the Advanced button in order to type in your Windows Account that you want to test (you will need to know the password as well).  I use this all the time to test my cube security and it works great.  However, it will not work with an account that also has Admin rights on the cube.

     

    Monday, September 15, 2008 5:26 PM
  • Thank you Ben and Jpicker. Yes, I am one of the admins on the server. After creating a Windows Account
    I tested the report and it works. But I am a bit surprised that ProClarity cannot ignore the Admin rights and work according to rights assigned to the role.

     

    Regards

    Bidyut

    Tuesday, September 16, 2008 8:06 AM