1. 6/16/2018
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

2. SSAS Tabular Security Patrick LeBlanc 6/16/2018
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

3. Session Objectives And Takeaways
Tech Ready 15
6/16/2018
Session Objectives And Takeaways
Session Objective(s):
Understand the importance of properly implementing security within an SSAS Tabular Model.
Explain the importance of Tabular Security
Assist customers in designing effective security approaches
Demonstrate various security scenarios
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

4. Agenda In this session we will discuss the following topics:
Introduction
What can you secure?
How does Impersonation work?
Creating and Managing roles, what’s the best method?
Row filters, do they always work?
Dynamic Security, which method?
EFFECTIVEUSERNAME() vs. KERBEROS
Managing and Monitoring Security

5. Resources SQL Server 2014 Books Online (Use It!!!)
Tech Ready 15
6/16/2018
Resources
SQL Server 2014 Books Online (Use It!!!)
Tabular Security White Paper
Microsoft SQL Server 2012 Analysis Services: The BISM Tabular Model
OneDrive Resources
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

6. Patrick LeBlanc Experience: Twitter: patrickdba
Tech Ready 15
6/16/2018
Patrick LeBlanc
Twitter: patrickdba
Author: Latest book, SQL Server 2012 Step by Step
Blog:
Experience:
I have been working with SQL Server a long time!!!!!
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

7. What can you secure? Server instance Database Rows Tables (Maybe!!)
you CAN secure
you CAN’T secure
Server instance
Database
Rows
Tables (Maybe!!)
Columns
Cells
Perspectives

8. Demo Securing a Server (100 Level) 6/16/2018
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

9. How does impersonation work?
SERVER-SIDE
CLIENT-SIDE
Import Data
Process Data
Preview and Filter
Table Properties
Partition Manager

10. Impersonation(IMPORTANT!)
Model Authoring
Ensure that the currently logged on user and the credentials specified for impersonation have sufficient rights to access data from the data source
Impersonation
As a best practice you should specify a Windows user account and password instead of using the Service account. Typically the service account has elevated permissions, which is not necessary when developing a model.

11. Demo
Who’s connected (200 Level)

12. Importing Data

13. Demo
Too Many Connections…You Only Need ONE!!!
(200 Level)

14. Built-in Administrators
Server Role
Fixed Administrative Role – has permissions over the entire instance.
Members of Local Administrators Group
Anyone that is included is this group is and Administrator. Controlled via SSMS or the msmdsrv.ini file.
To change in SSMS you must check the Show Advanced (All Properties) checkbox. Change Security\BuiltinAdminsAreServerAdmins to FALSE!!

15. Demo
Show Configuration ( Level)

16. Row Filter Considerations
Row filters only work when applied to the ONE table in a one-to-many relationship
If applied to the MANY, you must also add a row filter to the ONE and use a many-to-may relationship pattern.
When more than one row filter is applied, a user will only see rows allowed by both filters
DirectQuery enabled models do not support row filters

17. Row Filters can affect….
Table Relationships
Calculated Columns
Hierarchies

18. Demo
Row Filters (Calculated Columns &Hierarchies)
(Level 200 – 300)

19. Dynamic Security, which method?
Row Filter
Row Filter
Row Filter
Row Filter
Row Filter
Row Filter
Row Filter
Row Filter
Row Filter
Row Filter
Row Filter
Row Filter

20. Dynamic Security, which method?
Permissions Table
Store distinct combinations of filters associated with a Role(s) in a table.
USERNAME()
Returns windows user name of current users (domain\user).
CUSTOMDATA()
Returns name passed from CustomData connection string property.

21. Double-hop Kerberos Can be DIFFICULT! Most people try to avoid it
Probably Best Option
EffecitveUserName
Easy for Power View and SSRS (Impersonate or Set Execution Context)
Connecting user must be an SSAS Administrator
Could be a security concern
CUSTOMDATA()
Only use in Middle-tier

22. Connecting without Kerberos
Excel Services
SQL Reporting Services

23. Demo
Dynamic Security and EffectiveUsername Level (300)

24. Creating and Managing roles, what’s the best method?
Database Roles
Control access to model and data
Permissions
Description
Row Filters user DAX
None
Members cannot modify or query data
Read
Members can query data, but can’t change database or see database
Read and Process
Members can query data and process database, but can’t change database or see database model
Process
Members can process database, but can’t change database, see database model or query data
Administrator
Members can do everything to database .

25. Creating and Managing roles, what’s the best method?
Where should you create roles?
SQL Server Data Tools
Where and when should members be added to roles?
SQL Server Management Studio
After Deployment

26. Creating and Managing roles, what’s the best method?
How do you deploy Roles?
Analysis Services Deployment Wizard

27. Demo
Deploying Roles
(Level 200 – 300)

28. Managing and Monitoring Security
SQL Profiler Events
Audit Login/Logout
Existing Session
Session Initialize (New Session)
Extended Events
AuditLogin/Logout
AuditServerStartsAndStops
AuditAdminOperationsEvent

29. Demo
Profiler/Extended Events
(Level )

30. Session Objectives And Takeaways
Tech Ready 15
6/16/2018
Session Objectives And Takeaways
Session Objective(s):
Understand the importance of properly implementing security within an SSAS Tabular Model.
Explain the importance of Tabular Security
Assist customers in designing effective security approaches
Demonstrate various security scenarios
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

31. Resources Learning TechNet msdn http://channel9.msdn.com/Events/TechEd
6/16/2018
Resources
Sessions on Demand
Learning
Microsoft Certification & Training Resources
TechNet
Resources for IT Professionals
msdn
Resources for Developers
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

32. Complete an evaluation and enter to win!
6/16/2018
Complete an evaluation and enter to win!
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

33. Evaluate this session Scan this QR code to evaluate this session.
6/16/2018
Evaluate this session
Scan this QR code to evaluate this session.
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

34. 6/16/2018
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.