Security Layers
The following are security layers that exist in an enterprise web-driven BI system:
• Portal/Web/Access
• Report/View
• Data
Portal/Web/Access
This layer is crucial to the initial user identification and system decision to grant the user
access to the BI system. This layer filters unwanted visitors, unknown guests and others
who are not related to the BI project incomers. An example can be a network layer filter for
only Intranet users or a common secured login page as a main portal to the system.
Report/View
The Report layer is instrumental in defining which users can access specific reports. Even
with the same data, one would like to secure specific reports displaying critical decision
data. Another example could be department distribution, content driven security, where
each department is enabled to their dedicated views/reports.
Data
An important issue is to secure the data itself. This is a context based security layer where
specific groups of users have access to a specific data slice.
The following section discusses the aforementioned security layers.
Integrated
The Integrated method automatically detects those users logged on the Windows client side.
Only Microsoft systems, networks and browsers support this method.
Basic
Basic security that is supported by all browsers offers an interactive authentication by the
user with a username and password. A pop up window appears in the beginning of the web
session to verify user credentials.
Anonymous
An anonymous method enables everybody to enter and treats all users the same, based on
some specific, common-for-all-users status, as defined in IIS.
Panorama supports all these methods. It is unknown and unimportant for the Panorama
Server which IIS authentication method is used. What is important is who the next user is.
This information is set and passed to Panorama in any of the aforementioned methods.
If you build a custom web BI application, you might want to obtain user information. This
information can be retrieved from the session object in ASP, for example, and reused.
Another common method to authenticate users and obtain user information is to build a web
login page with your own logic; the page can be secured as a standard web login page.
Once we identify and classify the user, we can proceed to the application layer.
Report Security
BI system has many reports, which in Panorama are termed views. Views are often
arranged in folders which combine to form Briefing Books. In Panorama, Dashboard views
can be arranged in pages and sections. In any case, we have a number of views and the
purpose of this layer is to enable groups of people to access different sets of views.
The Briefing Book mechanism is available in the product out of the box. When working with
Analysis Services (AS) roles (next chapter), the Briefing Books, folders and single views can
be secured on a role level. For example the Sales folder inside a book can be only visible to
the Sales role (defined in AS). There are visible and hidden attributes for a view and an
increased flexible security on a book level, allowing or restricting context menus or
advanced functionality. To set up a book security, use Panorama Administrator, and right
click on a Briefing Book. Select the Manage Roles option. For detailed instructions, see the
Administrator manual.
Data Security
The data security is an important security layer and the following are methods of
implementing data based security:
Analysis Services
Panorama Slicer Method
Both data security methods are completely independent and can be used simultaneously,
however, the system may become difficult to manage. To avoid possible security holes and
unmanageable system, we strongly recommend utilizing a single method of data security for
an entire BI project.
Analysis Services
Analysis Services (AS) roles are containers of Windows users and NT groups. AS can only
work when integrated, so all the users mentioned should be valid Windows users. Each role
can have customized data access, starting from cube access level up to advanced MDX
statements. Panorama fully supports the roles mechanism except for the custom user-
defined MDX statements that use the 'Username' MDX function.
Introduction
This document describes security implementation with Microsoft Analysis Services roles and
Panorama Performance Dashboards for domain users.
Do not be confused with Dashboard Groups that appear in the Sections administration. We
will not be using this element.
Summation
We have managed our content with domain groups and sections of reports. When a new
user is added into the organization, they can be added to the matching AD group and al
other settings are automatic. If there is a need to create a special permission for a single
individual, the domain user can be imported to the Panorama Performance Dashboards and
different security settings can be set for the User. Even if the specific user belongs to groups
which are also imported to the Dashboard, a user-specific security is applied with higher
priority than those of the group to which he belongs.
When the only entrance point for the BI application is Panorama Performance Dashboards
and not other tools which access the cubes are available to the end users.
You can simplify the security management and not deal with the issue of Roles if the only
entry point for the BI application is Panorama Performance Dashboards and if no other tools
that access the cubes are available to the end users. As we have already defined Section
level security, users accessing the system are already limited to specific content which can
be directly related to specific cube or data. In this case, no additional settings are required.
A single role can be created in the cube to grant access only to the Panorama Service User.
All the web users in Panorama are connected on behalf of the Panorama Service User if no
OLAP security (which enables kind of impersonation) is activated.
Roles, if used, are containers of domain users and domain groups. In addition to the defined
groups as described above, the same active directory groups can form Analysis Services
roles, and the security management is centralized to active directory, which is easy and
secure.
The scenario described in this article is only one of the many possible security
implementations with Analysis Services and Panorama Software.
Panorama Server
Panorama Server maintains a pool of active connections to the Analysis Services. In
addition, the Panorama Administrator installed on the server is responsible for managing AS
roles, obtaining drillthrough information, and other administrative tasks. The server
requirements are as follows:
AS Management Tools (minimum) installed on the Panorama machine.
Run the Panorama Service with a user who is a member of the local OLAP
Administrators group.
A user who has run the Panorama service also needs to have full NTFS
permissions to the Panorama folder.