Security Model for Analysis Services - Microsoft SQL Server 2008 Analysis Services

Databases Reference

In-Depth Information

.

ImpersonateCurrentUser —Specifies the use of the credentials of the current

user; utilized only to run data mining queries.

.

ImpersonateServiceAccount —Establishes the connection with the credentials

of the account under which the Analysis Services server started.

.

Account defines the name of the user account to use for impersonation.

. Password defines the password for the account specified in the Account property.

The DataSourceImpersonationInfo property of the Database object serves as a default for

access to external sources if the ImpersonationInfo property is not specified for the

DataSource object, or when the ImpersonationMode property is set to

Default.DataSourceImpersonationInfo has exactly the same structure as the

ImpersonationInfo object. Its only purpose is to serve as a default for data sources with

ImpersonationMode set to Default .

Changing a Service Logon Account

Use the SQL Server Configuration Manager to change a service logon account. Although

you can view and change a logon account for Analysis Services through the Windows

Service Control Manager, we recommend that you never use it to change a service logon

account.

NOTE

You can access the SQL Server Configuration Manager through the Start menu: Start,

Microsoft SQL Server 2008, Configuration Tools, SQL Server Configuration Manager.

The main reason for using Configuration Manager is that, during installation, SQL Server

setup grants Analysis Services access to all the file system folders and Registry entries

necessary for it to be able to operate. If you change the service logon account using

Windows Service Control Manager, the new service account might not have enough privi-

leges to access the file system and system Registry, and that could lead to a situation in

which you can't start Analysis Services.

SQL Server setup creates a local security group ( SQLServer2005MSOLAPUser$MACHINE

NAME$MSSQLSERVER in Analysis Services 2005 and SQLServerMSASUser$ MACHINENAME

$MSSQLSERVER , in version 2008) and grants it all required file system and Registry permis-

sions. The service logon account becomes a member of this group. When you change the

service logon account using SQL Server Configuration Manager, it removes the old service

account and inserts the new one into this group.

All file system folders are secured using that local security group. The alternative is to

secure every folder using an Analysis Server logon account.

Search WWH ::

Custom Search

Home