See Also: Main_Page - Database Administration - Analysis Services - Security with Analysis Services

Analysis Services security consists of two major aspects:

  1. Administrative permissions to Analysis Services database objects.
  2. User permissions for viewing cube data.

In this section we will first discuss administrative permissions briefly. Then we will primarily focus on cube data security.

Note that Analysis Services security is limited to Windows authentication. SQL Server logins cannot be used to connect to an analysis server; nor can you create MSAS logins. To grant access to cube data you can create Analysis Services database roles and cube roles; however, members of such roles must be Windows accounts or groups.

Setting administrative permissions with to Analysis Services 2000 is straightforward but not very flexible. As soon as MSAS 2000 is installed a Windows group called OLAP administrators is created. All Windows accounts that need administrative privileges must belong to OLAP Administrators' group on the local computer. Administrative privileges include:

  1. Creating and modifying database objects.
  2. Creating and editing database and cube roles.
  3. Processing objects.
  4. Reading data in cubes.
  5. Writing data if cubes are write-enabled.

Members of OLAP Administrators' role can perform any operation on the analysis server. You cannot grant permissions to individual administrative tasks; so either you grant all possible permissions or none.

MSAS 2005 supports granting more granular administrative permissions. First, you can run multiple instances of MSAS 2005 on the same server so each instance can have a separate administrator. OLAP administrators' role is no longer used for administering instances of analysis server; instead each instance has a fixed server role that allows its members to fully administer the instance. Cube structures must be developed (and modified) using Business Intelligence Development Studio (BIDS); therefore, there is no need to grant permissions to modify cube structure directly on the analysis server. Instead cubes can be developed in a disconnected environment and then deployed to an instance of MSAS.

The fixed server role for Analysis Services instance is comparable to the SYSTEMADMIN role in SQL Server. Members of the fixed server role can add users to this same role, run a Profiler trace against the instance, create OLAP databases and modify server level properties. You can add members to the fixed server role by right clicking the instance of MSAS 2005, choosing properties and then navigating to the security page.

In addition to fixed server role you can also setup roles and grant them various levels of permissions on OLAP database level. These permissions include:

  • Full Control members of this role can perform any operation within the current database. Members of this role can fully administer the current database but cannot change any server level properties.
  • Process Database members of this role can process the current database and any underlying objects
  • Read Definition members of this role can read database object definitions (metadata) but cannot change them.

There are several Analysis Services properties that you should investigate and modify as needed to fine-tune security in your environment:

  • Security / Data Protection / Required Protection Level this property defines encryption required while connecting to Analysis Services. By default encryption is required.
  • Require Client Authentication defines whether client authentication is required for connecting to cubes.
  • Disable Client Impersonation controls whether client impersonation from external sources, such as .NET applications or stored procedures is enabled.
  • Local Admins are server admins much like with SQL Server database engine members of the Local Administrators' Windows group can also administer instances of Analysis Services by default. In most cases local administrators do not have to be analysis services administrators. Instead you should grant administrative access to selected users. This is an advanced property and isn't displayed in properties list unless you click the "show advanced properties" checkbox.
  • Service account is server admin the account that Analysis Services runs under is by default an administrator of the specific instance. Service account should have the full administrative privileges. This is an advanced property and isn't displayed in properties list unless you click the "show advanced properties" checkbox.