Panorama Security Guide

Securing BI Systems with Panorama

 Table of Contents
Part I – Security Models ............................................................................................... 3
Security Overview............................................................................................... 3
Security Layers ................................................................................................... 3
Portal/Web/Access............................................................................................. 3
Report/View...................................................................................................... 3
Data ................................................................................................................ 3
Authentication Methods ...................................................................................... 4
Integrated ........................................................................................................ 4
Basic ............................................................................................................... 4
Anonymous ...................................................................................................... 4
Report Security ................................................................................................... 4
Data Security ...................................................................................................... 5
Analysis Services............................................................................................... 5
Panorama Slicer Method ..................................................................................... 5
Microsoft Internet Information Server Version 6(IIS) ........................................ 5
Security Implementation with Microsoft Analysis Services Roles and Panorama
Performance Dashboards for Domain Users........................................................ 7
Introduction...................................................................................................... 7
Panorama Layer Security .................................................................................... 7
Data Layer Security Management ....................................................................... 9
Part II – Administration and System Level ............................................................... 10
Network Security .............................................................................................. 10
Client to Panorama Server ................................................................................ 10
Panorama Server to the Analysis Services ........................................................... 10
Panorama Server .............................................................................................. 10
File System and Virtual Directory...................................................................... 10
Database Access ............................................................................................... 11
Part III – Model Selection............................................................................................ 11
OLAP vs. SLICER Security Comparison .............................................................. 11
Securing Java Component Parameters.............................................................. 12
Panorama Driven BI Solution – Common Security Scenarios ............................ 12

Copyright © Panorama Software Page 2/12

Part I – Security Models
Security Overview
This section discusses the following topics:
• Security Layers
• Authentication Methods
• Report Security
• Data Security
• Microsoft Internet Information Server (IIS 6)
• Security Implementation with Microsoft Analysis Services Roles and Panorama
Performance Dashboards for Domain Users
• Data Layer Security Management

Security Layers
The following are security layers that exist in an enterprise web-driven BI system:

• Portal/Web/Access
• Report/View
• Data

Portal/Web/Access
This layer is crucial to the initial user identification and system decision to grant the user
access to the BI system. This layer filters unwanted visitors, unknown guests and others
who are not related to the BI project incomers. An example can be a network layer filter for
only Intranet users or a common secured login page as a main portal to the system.

Report/View
The Report layer is instrumental in defining which users can access specific reports. Even
with the same data, one would like to secure specific reports displaying critical decision
data. Another example could be department distribution, content driven security, where
each department is enabled to their dedicated views/reports.

Data
An important issue is to secure the data itself. This is a context based security layer where
specific groups of users have access to a specific data slice.
The following section discusses the aforementioned security layers.

Copyright © Panorama Software Page 3/12

Authentication Methods
This section discusses the methods used to access the security layers.
Panorama E-BI Server web communication is based on Microsoft Internet Information
Server (IIS). IIS supports the following directory security types:
• Integrated
• Basic
• Anonymous

Integrated
The Integrated method automatically detects those users logged on the Windows client side.
Only Microsoft systems, networks and browsers support this method.

Basic
Basic security that is supported by all browsers offers an interactive authentication by the
user with a username and password. A pop up window appears in the beginning of the web
session to verify user credentials.

Anonymous
An anonymous method enables everybody to enter and treats all users the same, based on
some specific, common-for-all-users status, as defined in IIS.
Panorama supports all these methods. It is unknown and unimportant for the Panorama
Server which IIS authentication method is used. What is important is who the next user is.
This information is set and passed to Panorama in any of the aforementioned methods.
If you build a custom web BI application, you might want to obtain user information. This
information can be retrieved from the session object in ASP, for example, and reused.
Another common method to authenticate users and obtain user information is to build a web
login page with your own logic; the page can be secured as a standard web login page.
Once we identify and classify the user, we can proceed to the application layer.

Report Security
BI system has many reports, which in Panorama are termed views. Views are often
arranged in folders which combine to form Briefing Books. In Panorama, Dashboard views
can be arranged in pages and sections. In any case, we have a number of views and the
purpose of this layer is to enable groups of people to access different sets of views.
The Briefing Book mechanism is available in the product out of the box. When working with
Analysis Services (AS) roles (next chapter), the Briefing Books, folders and single views can
be secured on a role level. For example the Sales folder inside a book can be only visible to
the Sales role (defined in AS). There are visible and hidden attributes for a view and an
increased flexible security on a book level, allowing or restricting context menus or
advanced functionality. To set up a book security, use Panorama Administrator, and right
click on a Briefing Book. Select the Manage Roles option. For detailed instructions, see the
Administrator manual.

Copyright © Panorama Software Page 4/12

If you are more interested in a custom portal, and have no AS roles defined, you can
manage your view level security within your custom system using your logic. Panorama
Dashboard features a powerful user database with a section/page security out of the box.

Data Security
The data security is an important security layer and the following are methods of
implementing data based security:
ƒ Analysis Services
ƒ Panorama Slicer Method
Both data security methods are completely independent and can be used simultaneously,
however, the system may become difficult to manage. To avoid possible security holes and
unmanageable system, we strongly recommend utilizing a single method of data security for
an entire BI project.

Analysis Services
Analysis Services (AS) roles are containers of Windows users and NT groups. AS can only
work when integrated, so all the users mentioned should be valid Windows users. Each role
can have customized data access, starting from cube access level up to advanced MDX
statements. Panorama fully supports the roles mechanism except for the custom user-
defined MDX statements that use the 'Username' MDX function.

Panorama Slicer Method

An alternative method to control data security is to use the Panorama Slicer method. When
calling the Panorama applet, the slicers can be set enabling users to access only a portion of
the data based on dimension security. The slicer method also supports advanced MDX and is
in many respects more powerful than the original AS security. A comparison between the
two methods is presented in the next section. See OLAP vs. SLICER Security Comparison.

Microsoft Internet Information Server Version 6(IIS)

In this version of IIS, Microsoft has extended the capabilities of the IIS server, and
enhanced the securities control of it, while causing some issues with 3rd party software that
depends on the IIS service, such as Panorama NovaView™ E-BI server.
Figure 1 and Figure 2 illustrate minimal requirements of Panorama server installed on IIS 6:

Copyright © Panorama Software Page 5/12

 Figure 1: Panorama Out-Of-The-Box Installation (Welcome.HTM Mode)

Figure 2: Configuration for Panorama Applications (e.g. Panorama Dashboard and

Supply Chain Intelligence Solution)

Copyright © Panorama Software Page 6/12

Security Implementation with Microsoft Analysis Services
Roles and Panorama Performance Dashboards for Domain
Users
This section contains the following:
ƒ Introduction
ƒ Panorama Layer Security
ƒ Data Layer Security Management

Introduction
This document describes security implementation with Microsoft Analysis Services roles and
Panorama Performance Dashboards for domain users.

Panorama Layer Security

The BI platform security can be modeled as the following security layers:
• Data Layer Security
• Report Layer Security

Data Layer Security

Data layer security defines what parts of the cube users can access.
For data layer security implementation, assume that all the users in an organization are MS
Windows domain users. The authentication method is an MS Windows Integrated security
based on IIS integrated security.

Report Layer Security

Report layer security defines what reports can be accessed and used by users.
For report layer security implementation, we assume the entrance point is the Panorama
Performance Dashboards application, an ASP portal application which manages Panorama
views. Panorama Performance Dashboards, is configured to use Integrated Security and
work with MS Windows domain users. To set Panorama Performance Dashboards to
Integrated authentication, in the Panorama Performance Dashboards application, go to
Settings -> Security and choose the Windows Authentication option in the Basic
Options area.
Note
When this option is selected, only MS Windows users recognized by the Panorama
Performance Dashboards are able to access the system.

To make Panorama Performance Dashboards recognize domain users, an administrator has

to import them from the Active Directory. In the administration of the Panorama
Performance Dashboards under Users, there are two options on the left side – Import
Domain Users and Groups. Panorama Performance Dashboards users can be either
domain users or domain groups. If a domain user is a Panorama Performance Dashboards
user, the relation is one to one. The domain user recognized by the Dashboard using
Integrated Security will have Dashboard User (imported, or just one with exactly the same
name) security properties. If a Domain Group is a Panorama Performance Dashboards

Copyright © Panorama Software Page 7/12

user, the relation is many to one. All the domain users are recognized by the Dashboard
using Integrated Security, and based on Active Directory belong to the specified domain
group, have the same Dashboard user (domain group) security properties.
To simplify security administration, all users are divided into groups and set in the Active
Directory. These groups are formed based on security roles in the organization. Examples
of this are BI System Users and BI System Administrators. Import groups to the
Panorama Performance Dashboards and set the correct security settings. A Panorama
Performance Dashboards user can be a user, an administrator or an administrator on select
Panorama Performance Dashboards areas.
The basic report level unit is a Panorama view, which is a single grid/chart report. Panorama
views are created and form a Briefing Book, which is unimportant for Panorama
Performance Dashboards implementation, as only the report management is accomplished
here.
Panorama views can be arranged in a Panorama Performance Dashboards to form a Page.
A user can be allowed access to a page, or denied access. A collection of Pages, organized
by specific subject, for example, forms a Section. A Section is a security unit, meaning that
some users can access specific sections, some can administer specific sections etc. If
necessary, to set a Page security to a higher granularity (status?) at Page level, a separate
section can be created for a specific Page which has separate security settings.
Every user (domain group in our case) can have different access to the Panorama
Performance Dashboards. Click on the Users tab, and from the list presented, select a
specific user, then on the Dashboard Access Rights section. The user (group) can have
no dashboard access read-only access (user-like), or to have administrative access for
portal content management. To have more flexibility and granularity, select the Section
Level Access and set the same No Access or User Access or Admin Access on a section
level.
To manage Panorama Performance Dashboard pages and divide them into sections, in the
Dashboard Administration click on the Sections tab and select a section on the left side (or
create a new one). Once selected, in the lower right area, the section content (the pages
that build the section) can be selected.
Note
Sections are exclusive, and one Page can only belong to one Section. If you require
higher granularity, create Section per Page and set the Page level security.

Do not be confused with Dashboard Groups that appear in the Sections administration. We
will not be using this element.

Summation
We have managed our content with domain groups and sections of reports. When a new
user is added into the organization, they can be added to the matching AD group and al
other settings are automatic. If there is a need to create a special permission for a single
individual, the domain user can be imported to the Panorama Performance Dashboards and
different security settings can be set for the User. Even if the specific user belongs to groups
which are also imported to the Dashboard, a user-specific security is applied with higher
priority than those of the group to which he belongs.

Copyright © Panorama Software Page 8/12

Data Layer Security Management
When implementing the Panorama BI solution, Data Security can be managed by the
following:
• Analysis Services Roles (Analysis Services server side security)
• Panorama Slicer Security (Panorama engine, filtering data on the Panorama Server
layer)
• Combination (Analysis Services Roles and Panorama Slicer Security)
In our solution we manage Data Security using Analysis Services Roles. In this case,
Panorama recognizes the logged user, and forwards the username to Analysis Services. To
do that you need to set the Panorama Performance Dashboards to work in OLAP Security
mode for the data.
In the Panorama Performance Dashboards application, click on Users, then on a specific
user and select the OLAP Security option.
Note
Do not select the user security prior to the roles definition in the Analysis Services. User
access may be blocked for that user.

When the only entrance point for the BI application is Panorama Performance Dashboards
and not other tools which access the cubes are available to the end users.
You can simplify the security management and not deal with the issue of Roles if the only
entry point for the BI application is Panorama Performance Dashboards and if no other tools
that access the cubes are available to the end users. As we have already defined Section
level security, users accessing the system are already limited to specific content which can
be directly related to specific cube or data. In this case, no additional settings are required.
A single role can be created in the cube to grant access only to the Panorama Service User.
All the web users in Panorama are connected on behalf of the Panorama Service User if no
OLAP security (which enables kind of impersonation) is activated.
Roles, if used, are containers of domain users and domain groups. In addition to the defined
groups as described above, the same active directory groups can form Analysis Services
roles, and the security management is centralized to active directory, which is easy and
secure.
The scenario described in this article is only one of the many possible security
implementations with Analysis Services and Panorama Software.

Copyright © Panorama Software Page 9/12

Part II – Administration and System Level
Network Security
The following are communication channels in the web BI system:

• Client to Panorama Server

• Panorama Server to the Analysis Services

Client to Panorama Server

The Client to Panorama Server communication is a pure HTTP traffic handled by IIS and IE.
Panorama, together with IIS, can be configured to use any available TCP/IP port. The traffic
can be also secured with SSL and other available standard HTTP traffic security methods.
Since Panorama-Client communications are accomplished in a proprietary binary format, it
is difficult to “sniff” (unauthorized access) and understand the transmitted data.

Panorama Server to the Analysis Services

Panorama Server to the Analysis Services communication is a standard OLAP client to
server communication which supports whatever format Microsoft AS offers. Refer to MSDN
to learn how to secure OLAP traffic.

Panorama Server
Panorama Server maintains a pool of active connections to the Analysis Services. In
addition, the Panorama Administrator installed on the server is responsible for managing AS
roles, obtaining drillthrough information, and other administrative tasks. The server
requirements are as follows:
ƒ AS Management Tools (minimum) installed on the Panorama machine.
ƒ Run the Panorama Service with a user who is a member of the local OLAP
Administrators group.
ƒ A user who has run the Panorama service also needs to have full NTFS
permissions to the Panorama folder.

File System and Virtual Directory

An account that runs Panorama service should have full NTFS permissions to the Panorama
folder (<root>.\Program Files\Panorama) and all child objects.
The Panorama\E-BI directory is the real path of the Panorama virtual directory. Files in this
directory are mostly accessed and used by the Panorama Service which runs on behalf of a
power user. Some web files, like CONNECTOR.DLL, welcome.htm and other HTM, ASP and
ISAPI files are accessed via HTTP by the web users. In this case the file security should
match the IIS directory security mode.
As described in the Authorization section, a Panorama Virtual Directory can have any of the
directory security methods. The execute permissions on the directory should be Scripts and
Executables.

Copyright © Panorama Software Page 10/12

Database Access
Panorama service requires an access to SQL database to work properly. An account that
runs Panorama service should have at least read and write permissions to Panorama
database.

Part III – Model Selection

This is the most important section if you are in the implementation stage. First, an overall
comparison of two main data security methods is presented, and then the most common
scenarios are presented.

OLAP vs. SLICER Security Comparison

The following table lists OLAP vs. Slicer security issues:

OLAP Roles Slicer Security

Easier to start with. UI configuration,
no coding required. Out of the box
support.
Faster to configure for a limited small
number of roles.
Confusing and dangerous in medium
and larger sites with many roles. An
improperly configured role can change
the security logic and render the
system insecure.
Average UI maintenance and update.
No way to improve.
Custom MDX till cell level.
User recognized using ‘UserName’
function. Not scalable as there is the
need to open a connection per user.
The same applies for desktop and web
clients.
Common for different Analysis Services
clients.
Good only for Windows integrated
systems, Intranet only.
Requires more structured approach and
some coding (unless Dashboard UI used).
The initial configuration can take longer.
Very straight forward and more suitable for
medium and big projects with many users.
No limitation on the users number. No
limitation on different security patterns
No out of the box maintenance and
management routines unless the
Dashboard is used as a portal. However,
once invested in management and update
procedures, it becomes much faster and
easier for the administrators.
Custom MDX till cell level.
The security can be user-dependant
(dynamic, as a function of username).
Connections sessions can be pooled
between users.
Not applicable for desktop clients.
Panorama feature, compatible only with
Panorama products.
Good for all kind of web systems, including
non-Windows networks and Internet
(outside domain) projects.

Copyright © Panorama Software Page 11/12

Securing Java Component Parameters
To make the parameters more secure, the Panorama web server provides the programmer
with the ability to replace with unique IDs (GUID) which are relevant only for the current
session.
For further information, see the Panorama Software Development Kit (SDK) document.

Panorama Driven BI Solution – Common Security

Scenarios
There are several common security scenarios for deploying Panorama. One of them is to
locate Panorama Server on a DMZ among with Analysis Services servers. See Figure 3.

Figure 3: Configuration for Panorama Applications (e.g. Panorama Dashboard and

Supply Chain Intelligence Solution.
Another scenario is to place the Analysis Services servers inside the corporate network with
the database servers.

Copyright © Panorama Software Page 12/12