Allow only certain clients to connect to Analysis Services 2005
-
Hi,
maybe it is an unusual request, but it is one!
Is there a way to ensure, that only certain clients could connect to the
OLAP server? The reason is to prevent "standard" users to use excel and other
stuff for querying the OLAP cubes, only allowing them to use the defined
reports in reporting services. If this is not the case they use client apps
to download tons of data from the warehouse, which could result in
performance issues. Then some of them they think in their own way about the
measures and start to create wrong reports.
Best regards,
Stefan
Kindest Regards,SK
-
Well, if you used a specific user account to access the AS datasource in RS, then you could create a role that contains only that user account. Then any other attempts to access the AS service (ie the DB's and cubes) would be denied.
I think RS lets you decide per report (or maybe datasource) whether to pass the 'current' users credentials or use a specified set of credentials. If you're passing them (the current users), watch out for the 'double-hop' if you RS and AS are on different servers.
Steve.
-
Hi Steve,
this would solve the problem if I only would need to connect users to SSAS and simply giving them the rights to access the cubes. But I have to post the username and credentials via Integrated Security to SSAS, because the users have different rights which dimensions and cubes they can access.
Thus I have to assign the rights to groups in SSAS. But could I do this?
RS and AS are on the same server in my case, what would I have done elsewhere to pass the credentials?
Stefan
Kindest Regards,SK
-
Hey Stefan,
That makes it a little more interesting. I haven't tried this but one thing you could do (given time and effort) is to write an app that monitors the service connections (like Profiler can do) and then (again like Profiler) look at the client for each connection and then kill connections that come from a client that you don't approve of.
I guess i don't understand the problem - if you've limitied them to specific dimensions, then they're unlikely to all be accessing the same suite of reports (ie can't run a report tht relies on a dim I can use), so what stops you from using a standard credential set for the report suite?
If the services were on different machines you would prob need to use Kerberos between the machines to allow IIS to pass the credntials to the next server.
Steve.
Viewing 4 posts - 1 through 4 (of 4 total)
You must be logged in to reply to this topic. Login to reply