RE: OWC 11 security problem connecting to AS
From: James (news_at_att.com)
Date: 08/12/04
- Next message: Wei-Dong XU [MSFT]: "RE: OWC 11 security problem connecting to AS"
- Previous message: Wei-Dong XU [MSFT]: "RE: OWC 11 security problem connecting to AS"
- In reply to: Wei-Dong XU [MSFT]: "RE: OWC 11 security problem connecting to AS"
- Next in thread: Wei-Dong XU [MSFT]: "RE: OWC 11 security problem connecting to AS"
- Messages sorted by: [ date ] [ thread ]
Date: Thu, 12 Aug 2004 00:07:01 -0700
You write that the connection is then made directly from the OWC to AS,
without going through the virtual directory, where msolap.asp is located. In
effect, you are saying that OWC systematically bypasses all security and
exposes all data in the cube, whatever role security is implemented in the
cube. Do I understand you right? Why bother implementing basic or digest or
windows authentication then, since OWC is going to bypass it anyway?
I'm sorry the 2 questions in my post were confusing. I'm not trying to get
UK users to see US data.
I'm asking how come the UK_User gets to see the US data, although AS role
security is set up in a way that UK_User is blocked from seeing US data. I
have verified that role-based security does work when the users sign-in
locally on the server.
However, when accessing the data from a remote location using OWC, they just
need to change the URL in the OWC connection string to completely bypass AS
security, and see all the data. How come is it possible to bypass AS
role-based security so easily??
"Wei-Dong XU [MSFT]" wrote:
> Hi,
>
> From my research, the OWC control is client control. When they send the
> request to the server, it builds the connection with the server themselves;
> which means the security credential they are using is decided by the
> connection string not the login page. Even you use the form authentication,
> the control still manages its connection with the AS individually. This is
> because the OWC is the client ActiveX control which sends the request to
> the AS server himself, not at the run time of aspx page.
>
> For example, we can find the datasource is from the Dir_UK in your
> connection string.
> PivotTable1.ConnectionString = "Provider=MSOLAP.2;" + _
> "Data Source=http://10.10.10.10/Dir_UK;Initial Catalog=ASDB"
>
> And you have set "Windows account used for anonymous access" for UK_user,
> US_user, so when the client OWC requests the data from
> http://10.10.10.10/Dir_UK, the request will be impersonated to the UK_user
> by IIS and then access the data from AS.
>
> So for your question:
> "How is it possible to connect to Analysis Services through another virtual
> directory? How can MyServer\UK_User bypass AS security and get US data?"
>
> Suggestion1:
> You can only provide one link to the page located in the Dir_US for the
> users. Since the new page will contain the connection string Data
> Source=http://10.10.10.10/Dir_Usa. so they will then see the US data.
>
> Suggestion2:
> use one javascript code to change the "Data Source" property value of the
> pivottable in the client side, This way, there is no need for IE to
> download the page from Dir_usa.
>
> Please feel free to let me know if you have any question.
>
> Best Regards,
> Wei-Dong Xu
> Microsoft Product Support Services
> Get Secure! - www.microsoft.com/security
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
>
- Next message: Wei-Dong XU [MSFT]: "RE: OWC 11 security problem connecting to AS"
- Previous message: Wei-Dong XU [MSFT]: "RE: OWC 11 security problem connecting to AS"
- In reply to: Wei-Dong XU [MSFT]: "RE: OWC 11 security problem connecting to AS"
- Next in thread: Wei-Dong XU [MSFT]: "RE: OWC 11 security problem connecting to AS"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
|
