locked
Security not applied to published Dashboard RRS feed

  • Question

  • Hello,

     

    I am trying to apply "ConnectionPerUser" security model in PPS since I need to control dimension data visibility based on the connecting user. I followed the following steps:

     

    1) Changed the Bpm.ServerConnectionPerUser setting to true in the web.config files for both the Monitoring Web Service and Preview sites, but all users still could see all the data in the Dashboard published on a WSS site.

     

    2) Tried removing the NetworkService user from the cube Role. No data was loaded in the published dashboard then and I got the following error on the filters: "No selections available. Contact your system administrator for assistance.."

     

    3) Now I tried previewing that Dashboard from the "Preview" option in the Dashboard Designer, everything is working smoothly there and dimensin visibility is applied according to the connected user.

     

    What is it that I am missing? Are there any settings I need to change for the WSS site to get it to connect using the current user instead of network service?

     

    I have another question, what is it that the "UseASCustomData" setting does? In a situation like mine, is it enough to set the ServerConnectionPerUser setting to true and that should pass in the UserName that the roles MDX could resolve or do I have to set UseASCustomData to true as well?

     

    Also I found an mdx snippet for setting roles dynamic security which is utilizing "CustomData()" to pass login Id, in the place where I'd naturally use the MDX function "UserName", what is that CustomData() function? It is not present in the MDX functions reference.

     

    Thanks,

    Katara

    Tuesday, November 6, 2007 12:11 PM

Answers

  • Katara,

     

    Make sure you change the ConnectionPerUser to true in the web.config on your SharePoint box - that may be the problem. %Inetpub\wwwroot\wss\VirtualDirectories\80.

     

    Below are two references to CustomData. It's part of an the SSAS 2005 connection string that allows you to pass in a string which can later be used kind of like a connection-level variable. In PPS' case (once UseASCustomData is enabled) the connection that is made to the cube contains the domain\username of the current user in CustomData which can then be referenced in MDX.

     

    http://cwebbbi.spaces.live.com/blog/cns!7B84B0F2C239489A!176.entry

    http://msdn2.microsoft.com/en-us/library/ms145582.aspx

     

    Cheers,

    Nick

    Tuesday, November 6, 2007 5:50 PM

All replies

  • Katara,

     

    Make sure you change the ConnectionPerUser to true in the web.config on your SharePoint box - that may be the problem. %Inetpub\wwwroot\wss\VirtualDirectories\80.

     

    Below are two references to CustomData. It's part of an the SSAS 2005 connection string that allows you to pass in a string which can later be used kind of like a connection-level variable. In PPS' case (once UseASCustomData is enabled) the connection that is made to the cube contains the domain\username of the current user in CustomData which can then be referenced in MDX.

     

    http://cwebbbi.spaces.live.com/blog/cns!7B84B0F2C239489A!176.entry

    http://msdn2.microsoft.com/en-us/library/ms145582.aspx

     

    Cheers,

    Nick

    Tuesday, November 6, 2007 5:50 PM
  • Hello,

    I have pretty much the same scenario and have changed the 'Bpm.ServerConnectionPerUser' property to True in the web.config files for the Monitoring Web Service and Preview sites and also in the Sharepoint site web.config file.

    Everything works fine when viewed through the PPS preview site.

    However, the PPS reports and scorecards throw errors when viewed through the Sharepoint site.

    Could it be because SSAS, PPS & Sharepoint are in three seperate servers and Kerberos has not been implemented? If yes, is there any way to do this without using Kerberos?


    Thanks,
    Aayush

    Monday, March 9, 2009 11:53 AM
  • Hi Aayush,

       Since all three are in different servers you will be facing a double-hop scenario. In your case you have to go for kerberos authentication. One thing you can do is to move both PPS and sharepoint to one machine or SSAS and PPS to one machine. But when you access the application from client machine you might still face kerberos.


    Regards,
    Ram
    Monday, March 9, 2009 12:58 PM