none
User level roles and securities RRS feed

  • Question

  • Hi,

    My Software Configuration is,
    • Windows Server 2003 with SP2,
    • SQL Server 2008 Developer Edition,
    • SharePoint Server 2007 RTM,
    • PerformancePoint Server Monitoring RTM with SP2
    I have installed the PPS-M as a standalone installation under system administrator privilege. All the three (Central, Preview & Webservice) application pool has 'Network Service' account.

    I have created two test users as 'User1' and 'User2'. I have three cubes in the Analysis Services database. I have created user roles for those cubes like as follows,

    Cube1        :        User1 & User2,
    Cube2        :        User1,
    Cube3        :        User2.

    Connecting to the Analysis Services database through Excel, everything is working fine.

    'Run as' Administrator        :        All three cubes are visible for me.
    'Run as' User1                     :        Only cube 1&2 are visible for me.
    'Run as' User2                     :        Only cube 1&3 are visible for me.

    If i try to make connection from PPS-M using 'Analysis Services' datasource template, PPS-M is not displaying any database. If i give 'NT AUTHORITY\Authenticated Users' privilege in the overall Analysis Services database security, then all the databases and their cubes are displaying without any given restriction.

    Can anyone help me to solve this issue?

    Regards,
    Sujeev
    Wednesday, April 22, 2009 11:39 AM

Answers

  • By default it is going to use the permissions that the web service application pools have unless you modify the setup to use Kerberos.  For more information in regards to this refer to this link and all of the materials provided.  There is a nice video on how to configure this.

    Configuring Kerberos Security with PerformancePoint Monitoring Server 2007
    Dan English's BI Blog
    _____________________________________________________
    Please mark posts as answer or helpful when they are.
    • Proposed as answer by Dan English Wednesday, April 22, 2009 12:33 PM
    • Marked as answer by Sujeev Friday, April 24, 2009 1:40 PM
    Wednesday, April 22, 2009 12:19 PM
  • Sounds good.  Another link that might be useful by Nick Barclay - PPS Data Connection Security with CustomData.
    Dan English's BI Blog
    _____________________________________________________
    Please mark posts as answer or helpful when they are.
    • Marked as answer by Sujeev Friday, April 24, 2009 1:41 PM
    Wednesday, April 22, 2009 12:36 PM
  • The BPMDeveloper role is in the actual SQL Server database called PPSMonitoring.  You need to connect to the database engine with SQL Server Management Studio and make sure that the identity running the PPS Web Service is setup in this database role.  Make sure this account is also setup in the Admin role within the PPS application security also and you will want to make sure that you are setup in this role too (or at least creator, but most likely admin).

    When you create objects in PPS the user creating the objects is assigned the Editor permission and there is an option that you can check to enable the Authenticated Users to have Reader permissions, so maybe you are checking that box.

    Make sure that the user trying to publish items has the necessary PPS permissions to do so - Application Security for Monitoring Server.  Here are a couple more links to reference in regards to security:

    PerformancePoint Monitoring Data Source Connection Problems

    Configuring PerformancePoint Monitoring Server Component Connectivity

    The other thing that you need to make sure, but this doesn't sound like it is an issue is to make sure that the account running the Application Pool is setup in the IIS_WPG group on the server, but if the Application Pool is running and you can connect to the Preview site it sounds like you should be okay there.


    Dan English's BI Blog
    _____________________________________________________
    Please mark posts as answer or helpful when they are.
    • Marked as answer by Sujeev Monday, April 27, 2009 12:22 PM
    Saturday, April 25, 2009 1:29 PM

All replies

  • By default it is going to use the permissions that the web service application pools have unless you modify the setup to use Kerberos.  For more information in regards to this refer to this link and all of the materials provided.  There is a nice video on how to configure this.

    Configuring Kerberos Security with PerformancePoint Monitoring Server 2007
    Dan English's BI Blog
    _____________________________________________________
    Please mark posts as answer or helpful when they are.
    • Proposed as answer by Dan English Wednesday, April 22, 2009 12:33 PM
    • Marked as answer by Sujeev Friday, April 24, 2009 1:40 PM
    Wednesday, April 22, 2009 12:19 PM
  • Hi,

    Thank you for your reply. I'll go through the video content and let us know about my status.

    Regards,
    Sujeev
    • Marked as answer by Sujeev Friday, April 24, 2009 1:40 PM
    • Unmarked as answer by Sujeev Friday, April 24, 2009 1:41 PM
    Wednesday, April 22, 2009 12:32 PM
  • Sounds good.  Another link that might be useful by Nick Barclay - PPS Data Connection Security with CustomData.
    Dan English's BI Blog
    _____________________________________________________
    Please mark posts as answer or helpful when they are.
    • Marked as answer by Sujeev Friday, April 24, 2009 1:41 PM
    Wednesday, April 22, 2009 12:36 PM
  • Hi Dan,

    Thank you, It is working. I solved the issue. The video content really helped me.

    Once again thank you for your effort.

    Regards,
    Sujeev
    Friday, April 24, 2009 1:40 PM
  • Hi Dan,

    I am facing another problem.

    I have set my 'Application Pool' identity as follows,
    • PPSMonitoringCentral           - Network Services
    • PPSMonitoringPreview          - Local Administrator (Configurable)
    • PPSmonitoringWebServices - Local Administrator (Configurable)

    Now using these identity, i can restrict my users based upon their roles.

    But, I could not see my already published databases or dashboards or reports... if i click 'Refresh' and it is not allowing me to publish the databases or dashboards or reports. It is throwing me the following error,

    An unknown error has occurred. If the problem persists contact an administrator. There may be additional information in the server
    application event log.
    

    Could you help me out to solve me in this issue.

    Regards,
    Sujeev
    • Edited by Sujeev Saturday, April 25, 2009 6:52 AM
    Saturday, April 25, 2009 6:46 AM
  • Did you take a look at the Application Event Log and look at the PerformancePoint Monitoring Server errors?  That should provide you more detail as to what is happening.  Is the account that you setup that is running the Application Pool setup in the PPSMonitoring SQL Server database in the BPMDeveloper Role?  Are you setup as an Admin in PerformancePoint Server security?


    Dan English's BI Blog
    _____________________________________________________
    Please mark posts as answer or helpful when they are.
    Saturday, April 25, 2009 11:58 AM
  • Hi,

    The Application Event Log for this error is as follows,

    Event Type:	Error
    Event Source:	PerformancePoint Monitoring Server
    Event Category:	None
    Event ID:	0
    Date:		4/25/2009
    Time:		5:37:13 PM
    User:		N/A
    Computer:	***********
    Description:
    System.NullReferenceException: Object reference not set to an instance of an object.
       at Microsoft.PerformancePoint.Scorecards.Server.PmServer.GetDashboards()
    
    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
    

    This problem arises only after the permission given to the Bpm.ServerConnectionPerUser to True in the Web.config for both the Preview and the WebService. Before that it was working fine, but the per user restriction was not there. Each user can see all the Analysis Services databases.

    I changed the 'True' value to 'False' for the Bpm.ServerConnectionPerUser. But still I'm experiencing the same problem.

    How to solve this issue?

    Regards,
    Sujeev
    Saturday, April 25, 2009 12:19 PM
  • Is the account that you setup that is running the Application Pool setup in the PPSMonitoring SQL Server database in the BPMDeveloper Role?  Is this account setup and are you setup as an Admin in PerformancePoint Server security?  Did you setup the NT Authority\Authenticated Users to have Reader permissions on the PerformancePoint objects?  After you make a change in the web.config file you should recycle the Application Pool in IIS and test again.  Verify that the account you setup for running the Application Pool is setup properly and has the necessary access needed in the database and within PerformancePoint security.
    Dan English's BI Blog
    _____________________________________________________
    Please mark posts as answer or helpful when they are.
    Saturday, April 25, 2009 12:25 PM
  • Hi,

    Pls, tell me what is BPMDeveloper Role? and how to configure that?

    I have installed the SQL Server 2008 under Administrator privilege and same for the PPS-M.

    Previously, i tried the 'NT Authority\Authenticated Users' security in the Analysis Services. If i give this, then all the users can see all the databases. No restriction will be there.

    If i create any datasource or reports or scorecards or dashboards then automatically two permissions will set to those objects. One is the current user having Admin and the other is 'NT Authority\Authenticated Users' having Read permissions. It is also same in my case.

    After any changes in the application pool identity or the changes in the web.config file i will restart the IIS. All are having the Admin privelege.

    Regards,
    Sujeev
    Saturday, April 25, 2009 1:15 PM
  • The BPMDeveloper role is in the actual SQL Server database called PPSMonitoring.  You need to connect to the database engine with SQL Server Management Studio and make sure that the identity running the PPS Web Service is setup in this database role.  Make sure this account is also setup in the Admin role within the PPS application security also and you will want to make sure that you are setup in this role too (or at least creator, but most likely admin).

    When you create objects in PPS the user creating the objects is assigned the Editor permission and there is an option that you can check to enable the Authenticated Users to have Reader permissions, so maybe you are checking that box.

    Make sure that the user trying to publish items has the necessary PPS permissions to do so - Application Security for Monitoring Server.  Here are a couple more links to reference in regards to security:

    PerformancePoint Monitoring Data Source Connection Problems

    Configuring PerformancePoint Monitoring Server Component Connectivity

    The other thing that you need to make sure, but this doesn't sound like it is an issue is to make sure that the account running the Application Pool is setup in the IIS_WPG group on the server, but if the Application Pool is running and you can connect to the Preview site it sounds like you should be okay there.


    Dan English's BI Blog
    _____________________________________________________
    Please mark posts as answer or helpful when they are.
    • Marked as answer by Sujeev Monday, April 27, 2009 12:22 PM
    Saturday, April 25, 2009 1:29 PM
  • Hi Dan,

    It is working for me.

    Thanks a lot for your effort.

    Steps I carried out,

    1. Uninstalled the PPS-M from my machine.
    2. Restarted my machine.
    3. Installed 'PPS-M' in my machine.
    4. Installed 'SP1', 'HotFix-1' and 'SP2'.
    5. Configured the PPS-M.
    6. Restarted my machine.
    7. Change the value of the 'Bpm.ServerConnectionPerUser' to True in the Preview's web.config file.
    8. Restarted the IIS.
    9. Open and checked the Dashboard Designer - all are working fine.
    10.  Change the value of the 'Bpm.ServerConnectionPerUser' to True in the WebServices's web.config file.
    11. Restarted the IIS.
    12. Open and checked the Dashboard Designer - all are working fine.

    Now, everything is working fine.

    Once again thanks a lot for your timely help.

    Regards,
    Sujeev
    Monday, April 27, 2009 12:30 PM