Security with Analysis Services - Overview
See Also: Main_Page - Database Administration - Analysis Services - Security with Analysis Services
Analysis Services security consists of two major aspects:
In this section we will first discuss administrative permissions briefly. Then we will primarily focus on cube data security.
Note that Analysis Services security is limited to Windows authentication. SQL Server logins cannot be used to connect to an analysis server; nor can you create MSAS logins. To grant access to cube data you can create Analysis Services database roles and cube roles; however, members of such roles must be Windows accounts or groups.
Setting administrative permissions with to Analysis Services 2000 is straightforward but not very flexible. As soon as MSAS 2000 is installed a Windows group called OLAP administrators is created. All Windows accounts that need administrative privileges must belong to OLAP Administrators' group on the local computer. Administrative privileges include:
Members of OLAP Administrators' role can perform any operation on the analysis server. You cannot grant permissions to individual administrative tasks; so either you grant all possible permissions or none.
MSAS 2005 supports granting more granular administrative permissions. First, you can run multiple instances of MSAS 2005 on the same server so each instance can have a separate administrator. OLAP administrators' role is no longer used for administering instances of analysis server; instead each instance has a fixed server role that allows its members to fully administer the instance. Cube structures must be developed (and modified) using Business Intelligence Development Studio (BIDS); therefore, there is no need to grant permissions to modify cube structure directly on the analysis server. Instead cubes can be developed in a disconnected environment and then deployed to an instance of MSAS.
The fixed server role for Analysis Services instance is comparable to the SYSTEMADMIN role in SQL Server. Members of the fixed server role can add users to this same role, run a Profiler trace against the instance, create OLAP databases and modify server level properties. You can add members to the fixed server role by right clicking the instance of MSAS 2005, choosing properties and then navigating to the security page.
In addition to fixed server role you can also setup roles and grant them various levels of permissions on OLAP database level. These permissions include:
There are several Analysis Services properties that you should investigate and modify as needed to fine-tune security in your environment: