Re: Security in Cubes and Dimension

You may need to build application-level security logic into your IIS
app, unless you can use Kerberos to pass UserID:

http://www.microsoft.com/technet/prodtechnol/sql/2000/maintain/anservog.
mspx
>>
Microsoft SQL Server 2000 Analysis Services Operations Guide
...
SSPI=KERBEROS specifies that the Kerberos network authentication
protocol be used. Kerberos enables interoperability with other security
architectures. More importantly to Analysis Services, it supports a more
flexible authentication infrastructure. Kerberos is based on "tickets,"
which greatly reduces the need for repeated authentication on each
network resource. The principal advantage of Kerberos for Analysis
Services is that its ticket-based approach supports multi-hop
architectures: an end user's credentials being passed from the client
machine to a Web server, then forwarded to the Analysis server (a
three-machine configuration).
...
For even more control, you might be able to use application-level
security. For example, suppose you are implementing a 3-tier Web-based
application. Because all data access goes through the middle-tier
application, you have an opportunity to add more extensive business
rules than Analysis Services supports directly. You can choose to allow
only certain kinds of operations within a certain number of days of the
monthly closing date. Or, you can choose to allow only a certain type of
data access if the end user also has credentials in some other security
systems, such as a form-based authentication database, a Lightweight
Directory Access Protocol (LDAP) server, or some other kind of
third-party tool.

Normally this kind of application-level security is available only if
you are writing the application yourself. However, some third-party OLAP
tools also provide their own security system. For example, Panorama's
Software's Novaview (see their web site at
http://www.panoramasoftware.com) has an entire subsystem that adds
additional controls for users that are using its thin-client, Web
application server. This kind of support varies from product to product.
...
>>


- Deepak

Deepak Puri
Microsoft MVP - SQL Server

*** Sent via Developersdex http://www.developersdex.com ***
.

Relevant Pages

  • Re: services not starting
    ... A few months ago I was looking at a server move to new hardware. ... The other error is the same but is the SYstem Attendant. ... I have looked at an article from MS that tells me to change the Kerberos ... The security account manager or local security authority ...
    (microsoft.public.exchange.admin)
  • Re: UserName and Kerberos tokens at the same time
    ... I have tried it on a Windows 2003 server as well and there I get the ... My client is a Windows application and I can se that the kerberos token is ... The kerberos Security token will try establish the security ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Re: Kerberos NTLM
    ... I'll assume it was just a typo, and you do have an SPN registered for your IIS computer account as HTTP/server1.domain.com. ... you want to follow some basic Kerberos troubleshooting steps (like making sure the time is correct on both client and server). ... Joseph T. Corey MCSE, Security+ ...
    (microsoft.public.windows.server.active_directory)
  • Re: services not starting
    ... How did you move your Exchange 2000 server to a new box? ... I have looked at an article from MS that tells me to change the Kerberos ... The security account manager or local security authority ...
    (microsoft.public.exchange.admin)
  • security-basics Digest of: get.123_145
    ... VPN to ASP a security risk? ... Re: Multiple IPSec tunnels? ... Subject: Security NT Server ... VPN to ASP a security risk? ...
    (Security-Basics)