6/16/2018 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
SSAS Tabular Security Patrick LeBlanc 6/16/2018 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Session Objectives And Takeaways Tech Ready 15 6/16/2018 Session Objectives And Takeaways Session Objective(s): Understand the importance of properly implementing security within an SSAS Tabular Model. Explain the importance of Tabular Security Assist customers in designing effective security approaches Demonstrate various security scenarios © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Agenda In this session we will discuss the following topics: Introduction What can you secure? How does Impersonation work? Creating and Managing roles, what’s the best method? Row filters, do they always work? Dynamic Security, which method? EFFECTIVEUSERNAME() vs. KERBEROS Managing and Monitoring Security
Resources SQL Server 2014 Books Online (Use It!!!) Tech Ready 15 6/16/2018 Resources SQL Server 2014 Books Online (Use It!!!) Tabular Security White Paper http://msdn.microsoft.com/en-us/library/jj127437.aspx Microsoft SQL Server 2012 Analysis Services: The BISM Tabular Model OneDrive Resources http://sdrv.ms/1fiaKle © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Patrick LeBlanc Experience: Twitter: patrickdba Tech Ready 15 6/16/2018 Patrick LeBlanc Twitter: patrickdba Author: Latest book, SQL Server 2012 Step by Step Blog: http://patrickdleblanc.com Experience: I have been working with SQL Server a long time!!!!! © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
What can you secure? Server instance Database Rows Tables (Maybe!!) you CAN secure you CAN’T secure Server instance Database Rows Tables (Maybe!!) Columns Cells Perspectives
Demo Securing a Server (100 Level) 6/16/2018 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
How does impersonation work? SERVER-SIDE CLIENT-SIDE Import Data Process Data Preview and Filter Table Properties Partition Manager
Impersonation(IMPORTANT!) Model Authoring Ensure that the currently logged on user and the credentials specified for impersonation have sufficient rights to access data from the data source Impersonation As a best practice you should specify a Windows user account and password instead of using the Service account. Typically the service account has elevated permissions, which is not necessary when developing a model.
Demo Who’s connected (200 Level)
Importing Data
Demo Too Many Connections…You Only Need ONE!!! (200 Level)
Built-in Administrators Server Role Fixed Administrative Role – has permissions over the entire instance. Members of Local Administrators Group Anyone that is included is this group is and Administrator. Controlled via SSMS or the msmdsrv.ini file. To change in SSMS you must check the Show Advanced (All Properties) checkbox. Change Security\BuiltinAdminsAreServerAdmins to FALSE!!
Demo Show Configuration (200 - 300 Level)
Row Filter Considerations Row filters only work when applied to the ONE table in a one-to-many relationship If applied to the MANY, you must also add a row filter to the ONE and use a many-to-may relationship pattern. When more than one row filter is applied, a user will only see rows allowed by both filters DirectQuery enabled models do not support row filters
Row Filters can affect…. Table Relationships Calculated Columns Hierarchies
Demo Row Filters (Calculated Columns &Hierarchies) (Level 200 – 300)
Dynamic Security, which method? Row Filter Row Filter Row Filter Row Filter Row Filter Row Filter Row Filter Row Filter Row Filter Row Filter Row Filter Row Filter
Dynamic Security, which method? Permissions Table Store distinct combinations of filters associated with a Role(s) in a table. USERNAME() Returns windows user name of current users (domain\user). CUSTOMDATA() Returns name passed from CustomData connection string property.
Double-hop Kerberos Can be DIFFICULT! Most people try to avoid it Probably Best Option EffecitveUserName Easy for Power View and SSRS (Impersonate or Set Execution Context) Connecting user must be an SSAS Administrator Could be a security concern CUSTOMDATA() Only use in Middle-tier
Connecting without Kerberos Excel Services SQL Reporting Services
Demo Dynamic Security and EffectiveUsername Level (300)
Creating and Managing roles, what’s the best method? Database Roles Control access to model and data Permissions Description Row Filters user DAX None Members cannot modify or query data Read Members can query data, but can’t change database or see database Read and Process Members can query data and process database, but can’t change database or see database model Process Members can process database, but can’t change database, see database model or query data Administrator Members can do everything to database .
Creating and Managing roles, what’s the best method? Where should you create roles? SQL Server Data Tools Where and when should members be added to roles? SQL Server Management Studio After Deployment
Creating and Managing roles, what’s the best method? How do you deploy Roles? Analysis Services Deployment Wizard
Demo Deploying Roles (Level 200 – 300)
Managing and Monitoring Security SQL Profiler Events Audit Login/Logout Existing Session Session Initialize (New Session) Extended Events AuditLogin/Logout AuditServerStartsAndStops AuditAdminOperationsEvent
Demo Profiler/Extended Events (Level 200 - 300)
Session Objectives And Takeaways Tech Ready 15 6/16/2018 Session Objectives And Takeaways Session Objective(s): Understand the importance of properly implementing security within an SSAS Tabular Model. Explain the importance of Tabular Security Assist customers in designing effective security approaches Demonstrate various security scenarios © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Resources Learning TechNet msdn http://channel9.msdn.com/Events/TechEd 6/16/2018 Resources Sessions on Demand http://channel9.msdn.com/Events/TechEd Learning Microsoft Certification & Training Resources www.microsoft.com/learning TechNet Resources for IT Professionals http://microsoft.com/technet msdn Resources for Developers http://microsoft.com/msdn © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Complete an evaluation and enter to win! 6/16/2018 Complete an evaluation and enter to win! © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Evaluate this session Scan this QR code to evaluate this session. 6/16/2018 Evaluate this session Scan this QR code to evaluate this session. © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
6/16/2018 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.