Security Model for Analysis Services - Microsoft SQL Server 2008 Analysis Services

Databases Reference

In-Depth Information

There can be only one Administrators role. If you try to create a new Administrators

role, you get this error message: Server and server role objects cannot be created,

deleted, or fully expanded.

When you add accounts to a role, you can add only valid Windows accounts. You can

add domain accounts or groups. For example, you can add the domain user we've already

established, REDMOND\edwardm . Analysis Services also allows you to add local computer

user or group accounts, such as LocalMachine\Administrators , to the server

Administrators role.

You can also add built-in accounts, such as Everyone (which grants access to any user—

not a good idea from a security perspective) and NT AUTHORITY\SYSTEM , a local computer's

service account.

During setup, you can add members to the server Administrators role (Provisioning page

in setup). However, if you are an administrator for the local computer, you can still

connect to Analysis Services because all members of the Windows LocalMachine\

Administrators group are granted administrative rights to Analysis Services. (This is the

equivalent of adding the LocalMachine\Administrators group to the Administrators

role.) On Windows Vista and Windows Server 2008, even though you are a local machine

administrator, you will have to run an administrative application connecting to Analysis

Services under elevated Windows Administrative privileges (“Run as administrator”). We

recommend you provision your server administrative role to avoid that.

In many organizations, the server computer administrator is not the same person who

manages Analysis Services. If this is the case, you should add the Analysis Services admin-

istrator to the Administrators role, and then use the BuiltinAdminsAreServerAdmins

configuration property to revoke the administrator rights of the LocalMachine\

Administrators group.

NOTE

Revoking the rights of the LocalMachine\Administrators group by turning off the

BuiltinAdminsAreServerAdmins server configuration doesn't provide full security pro-

tection. The operating system provides members of the LocalMachine\Administrators

group with privileges that allow them access to the configuration file. Any computer

administrator could potentially turn on the BuiltinAdminsAreServerAdmins property.

SQL Server Management Studio (SSMS) provides you with a user interface to manage the

Administrators role through the Server Properties dialog box.

Database Roles and Permission Objects

All nonadministrative security within Analysis Services is managed through the Database

role and Permission objects. Similar to the server Administrators role, you can add only

valid Windows accounts to the Database role. Unlike the Administrators role, however,

you can use the Database role to define a granular set of permissions to different objects

Search WWH ::

Custom Search

Home