Databases Reference
In-Depth Information
There can be only one
Administrators
role. If you try to create a new
Administrators
role, you get this error message:
Server and server role objects cannot be created,
deleted, or fully expanded.
When you add accounts to a role, you can add only valid Windows accounts. You can
add domain accounts or groups. For example, you can add the domain user we've already
established,
REDMOND\edwardm
. Analysis Services also allows you to add local computer
user or group accounts, such as
LocalMachine\Administrators
, to the server
Administrators
role.
You can also add built-in accounts, such as
Everyone
(which grants access to any user—
not a good idea from a security perspective) and
NT AUTHORITY\SYSTEM
, a local computer's
service account.
During setup, you can add members to the server
Administrators
role (Provisioning page
in setup). However, if you are an administrator for the local computer, you can still
connect to Analysis Services because all members of the Windows
LocalMachine\
Administrators
group are granted administrative rights to Analysis Services. (This is the
equivalent of adding the
LocalMachine\Administrators
group to the
Administrators
role.) On Windows Vista and Windows Server 2008, even though you are a local machine
administrator, you will have to run an administrative application connecting to Analysis
Services under elevated Windows Administrative privileges (“Run as administrator”). We
recommend you provision your server administrative role to avoid that.
In many organizations, the server computer administrator is not the same person who
manages Analysis Services. If this is the case, you should add the Analysis Services admin-
istrator to the
Administrators
role, and then use the
BuiltinAdminsAreServerAdmins
configuration property to revoke the administrator rights of the
LocalMachine\
Administrators
group.
NOTE
Revoking the rights of the
LocalMachine\Administrators
group by turning off the
BuiltinAdminsAreServerAdmins
server configuration doesn't provide full security pro-
tection. The operating system provides members of the
LocalMachine\Administrators
group with privileges that allow them access to the configuration file. Any computer
administrator could potentially turn on the
BuiltinAdminsAreServerAdmins
property.
SQL Server Management Studio (SSMS) provides you with a user interface to manage the
Administrators
role through the Server Properties dialog box.
Database Roles and Permission Objects
All nonadministrative security within Analysis Services is managed through the
Database
role and
Permission
objects. Similar to the server
Administrators
role, you can add only
valid Windows accounts to the
Database
role. Unlike the
Administrators
role, however,
you can use the
Database
role to define a granular set of permissions to different objects
Search WWH ::
Custom Search