Database Reference
In-Depth Information
If you are familiar with other Microsoft products, such as
Internet Information
Services
(
IIS
) or SQL Server itself, you will know that they provide several different
ways to authenticate users. Windows integrated security is always one option, but
these products often implement some other forms of authentication. This is not the
case for Analysis Services—it only supports Windows integrated security and no
other form of authentication.
By "Windows users", we are referring to both domain users and local users from the
server where Analysis Services is installed. Local users are often used when the cube
is accessible over the Internet. In this scenario, there will probably be an Analysis
Services server in a DMZ, with a copy of a cube that has been processed on another
Analysis Services server from somewhere inside the corporate network and, since
the server in the DMZ does not belong to a domain, we will need to use local users in
order to access it.
Since we do not want to tie security to specific Windows users who will come and
go over time; it's a good idea to restrict membership of Analysis Services roles to
Windows user groups (and preferably domain user groups). We can then control
who has access to the cube by adding and removing Windows users from these
groups. This level of indirection frees us from the need to make changes in Analysis
Services each time a new user needs access to the cube.
So in order to let users access the cube and enforce security, we will need to:
• Define Analysis Services roles, one for each set of permissions our users
will have
• Define domain groups and add them to the roles. For the sake of clarity, we
will use the same name for the role and the domain group
•
Add domain users to these groups
This will only work if users are able to access the cube using Windows integrated
security. There are, however, a lot of situations where integrated security cannot be
used as a result of the presence of firewalls protecting the server or other types of
network infrastructure that prevent integrated security from working. In these cases,
we will need to use Internet Information Services to let the users connect to the cube
via HTTP; we'll describe how to do this later on in this chapter.
Search WWH ::
Custom Search