Presentation is loading. Please wait.

Presentation is loading. Please wait.

Advanced Analysis Services Security Chris Webb Crossjoin Consulting Limited.

Published byReynard Ford Modified over 8 years ago

Similar presentations

Presentation on theme: "Advanced Analysis Services Security Chris Webb Crossjoin Consulting Limited."— Presentation transcript:

1 Advanced Analysis Services Security Chris Webb Crossjoin Consulting Limited

2 Who Am I? Chris Webb –Email: chris@crossjoin.co.ukchris@crossjoin.co.uk –Twitter @Technitrain Independent Analysis Services consultant and trainer www.crossjoin.co.uk www.crossjoin.co.uk Author: “MDX Solutions” and “Expert Cube Development with SSAS 2008” SQL Server MVP Blogger: http://cwebbbi.wordpress.comhttp://cwebbbi.wordpress.com

3 Agenda Dimension Security Cell Security Dynamic Security Performance Impact of Security Security in the Tabular Model

4 Assumptions You know SSAS cubes You know how to do basic dimension and cell security You know a little bit about the Tabular model in SSAS 2012 You’re interested in a deep dive about SSAS security!

5 Testing Security Roles can of course be tested in BIDS by pressing the Change User button They can also be tested in SQLMS by setting two connection string properties (if you’re an administrator): –EffectiveUserName – connect as if you were this user –Roles – connect as if you were a member of one or more roles

6 BIDS Helper BIDS Helper Roles Report does the following: –Documenting your roles and permissions –Finding out who has access though which role –Identifying causes of errors, such as invalid members Duplicate Role allows you to copy roles –Native copy/paste only creates a new role with no permissions defined but same membership

7 Securing Database and Cube Dimensions Securing a Cube dimension means you secure just that instance of a dimension in a cube Securing a Database dimension means you secure every instance of that dimension in every cube in the database –But errors when you have role-playing dimensions!

8 Allowed and Denied sets In dimension security, a role makes allows access to all members in the Allowed set, except those present in the Denied set Always use the Allowed set to grant access, rather than denying access to specific members –What happens if new members appear on the hierarchy?

9 Denying Access to Levels and Dimensions An empty Allowed set allows you to prevent access to an entire attribute or level No way of denying access to an entire dimension easily –Have to deny access to everything except the All Member on all attributes on a dimension –Then have to hide the dimension itself, maybe with a perspective

10 Multiple Roles Users can be members of multiple roles In that case a user will see everything each individual role can see unioned together –If one role allows access to a member and one denies, the user is allowed access

11 Parent/Child Hierarchies When applying dimension security to a parent/child hierarchy: –We cannot apply security to the key attribute –Granting access to a member on a p/c hierarchy means you grant access to all its ancestors –By default, granting access to a member also grants access to all its descendants, unless you explicitly deny access to them For dynamic security it causes even more complications…

12 MDX Script Errors If a calculation references a member that a role has denied access to, it will lead to an error in the MDX Script It is possible to ignore MDX Script errors, but this could mean you miss errors you do want to see Instead, use IsError() to detect if an expression returns an error Then use named sets and scoped assignments to perform calculations conditionally

13 Read and Read Contingent In cell security, a read permission allows/denies access to individual cells Read permissions are extremely easy to get around though, so don’t use them! Read contingent permissions take the extra step of checking to see if you have access to the cells a calculation needs to access

14 Replacing Cell Security Cell security can be avoided by creating a new dimension on your fact table –Create a new key on the fact table that is 1 for all rows to be secured, 0 for everything else –Then build a dimension with 1 and 0 as members and apply dimension security –Then make the dimension invisible to users –Not so easy to do with Measures 

15 Dynamic Security Dynamic security is when a single role can return different permissions for different users A role can be dynamic by either of two functions: –UserName(), to return the Windows username of the user that is connecting –CustomData(), to return the string passed in through the Custom Data connection string property. Useful when a front-end app is handling authentication.

16 Dynamic Security Approaches There are two basic approaches to implementing dynamic security: –Call a custom MDX function in a.NET dll to return details on permissions –Model permissions into dimensions and measures in your cube, then query them from within the role

17 Dynamic Security Approaches The measure group approach is to be preferred: –It’s faster – permissions are evaluated several times during login –When permissions change the cache needs to be cleared: For the dll approach you have to clear all caches on the cube For the measure group approach you need to reprocess just the measure group, which leaves SE caches on other measure groups intact

18 Dimension Security and Performance Different dimension security permissions can result in different query plans –Always build aggregations with roles in mind Formula Engine cache-sharing is also affected –Only users with exactly the same permissions can share FE caches –With dynamic security, FE caches are never shared

19 Cell Security and Performance Cell security can be very bad for performance: –It prevents the use of bulk mode for calculations –It prevents the caching of the results returned by MDX calculations for more than the lifetime of a query For this reason alone, avoid using it!

20 Security in the Tabular Model Tabular security is very similar to dimension security but operates on the row level No concept of denied sets though Nothing equivalent to dimension security

21 THANK YOU! For attending this session and PASS SQLRally Nordic 2011, Stockholm

Download ppt "Advanced Analysis Services Security Chris Webb Crossjoin Consulting Limited."

Similar presentations

Common Analysis Services Design Mistakes and How to Avoid Them

Common Analysis Services Design Mistakes and How to Avoid Them
Adam Jorgensen Pragmatic Works Performance Optimization in SQL Server Analysis Services 2008.

Adam Jorgensen Pragmatic Works Performance Optimization in SQL Server Analysis Services 2008.
Les Webcasts Groupe des Utilisateurs SQL Server Septembre 2013 – Power Query Chris Webb – Technitrain MVP SQL Server.

Les Webcasts Groupe des Utilisateurs SQL Server Septembre 2013 – Power Query Chris Webb – Technitrain MVP SQL Server.
Chris Webb Crossjoin Consulting Ltd

Chris Webb Crossjoin Consulting Ltd
Cache –Warming Strategies for Analysis Services 2008 Chris Webb Crossjoin Consulting Limited

Cache –Warming Strategies for Analysis Services 2008 Chris Webb Crossjoin Consulting Limited
Introduction to ETL Using Microsoft Tools By Dr. Gabriel.

Introduction to ETL Using Microsoft Tools By Dr. Gabriel.
1 Linking & Consolidating Worksheets Applications of Spreadsheets.

1 Linking & Consolidating Worksheets Applications of Spreadsheets.
Arjun Krishnamoorthi  Power View enables self-service BI by providing simple to use ad-hoc reporting for business users and decision.

Arjun Krishnamoorthi  Power View enables self-service BI by providing simple to use ad-hoc reporting for business users and decision.
CMSC 414 Computer (and Network) Security Lecture 13 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 13 Jonathan Katz.
Implementing Business Analytics with MDX Chris Webb London September 29th.

Implementing Business Analytics with MDX Chris Webb London September 29th.
Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.

Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.
70-270, 70-290 MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Nine Managing File System Access.

70-270, MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Nine Managing File System Access.
Top 10 SSIS Best Practices Tim Mitchell Artis Consulting The World’s Largest Community of SQL Server Professionals.

Top 10 SSIS Best Practices Tim Mitchell Artis Consulting The World’s Largest Community of SQL Server Professionals.
Security in SQL Jon Holmes CIS 407 Fall 2007. Outline Surface Area Connection Strings Authenticating Permissions Data Storage Injections.

Security in SQL Jon Holmes CIS 407 Fall Outline Surface Area Connection Strings Authenticating Permissions Data Storage Injections.
SQL Server Management Studio Introduction

SQL Server Management Studio Introduction
1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.

1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.
December 5, 2008 1 OBIEE Technical Conference Security Overview Dan Malone.

December 5, OBIEE Technical Conference Security Overview Dan Malone.
Implementing Common Business Calculations in DAX

Implementing Common Business Calculations in DAX
SQL Analysis Services 2005. Microsoft® SQL Server 2005 Analysis Services provides unified, fully integrated views of your business data to support online.

SQL Analysis Services Microsoft® SQL Server 2005 Analysis Services provides unified, fully integrated views of your business data to support online.
SharePoint 2010 Business Intelligence Module 6: Analysis Services.

SharePoint 2010 Business Intelligence Module 6: Analysis Services.

Similar presentations

Ads by Google