Allow only certain clients to connect to Analysis Services 2005

  • Hi,

    maybe it is an unusual request, but it is one!

    Is there a way to ensure, that only certain clients could connect to the

    OLAP server? The reason is to prevent "standard" users to use excel and other

    stuff for querying the OLAP cubes, only allowing them to use the defined

    reports in reporting services. If this is not the case they use client apps

    to download tons of data from the warehouse, which could result in

    performance issues. Then some of them they think in their own way about the

    measures and start to create wrong reports.

    Best regards,

    Stefan


    Kindest Regards,

    SK

  • Well, if you used a specific user account to access the AS datasource in RS, then you could create a role that contains only that user account.  Then any other attempts to access the AS service (ie the DB's and cubes) would be denied.

    I think RS lets you decide per report (or maybe datasource) whether to pass the 'current' users credentials or use a specified set of credentials.  If you're passing them (the current users), watch out for the 'double-hop' if you RS and AS are on different servers.

     

    Steve.

  • Hi Steve,

    this would solve the problem if I only would need to connect users to SSAS and simply giving them the rights to access the cubes. But I have to post the username and credentials via Integrated Security to SSAS, because the users have different rights which dimensions and cubes they can access.

    Thus I have to assign the rights to groups in SSAS. But could I do this?

    RS and AS are on the same server in my case, what would I have done elsewhere to pass the credentials?

     

    Stefan

     


    Kindest Regards,

    SK

  • Hey Stefan,

    That makes it a little more interesting.  I haven't tried this but one thing you could do (given time and effort) is to write an app that monitors the service connections (like Profiler can do) and then (again like Profiler) look at the client for each connection and then kill connections that come from a client that you don't approve of.

    I guess i don't understand the problem - if you've limitied them to specific dimensions, then they're unlikely to all be accessing the same suite of reports (ie can't run a report tht relies on a dim I can use), so what stops you from using a standard credential set for the report suite?

    If the services were on different machines you would prob need to use Kerberos between the machines to allow IIS to pass the credntials to the next server.

     

    Steve.

Viewing 4 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic. Login to reply