Tài liệu Module 15: Implementing Security pdf

Contents Overview 1 Introducing Analysis Services Security 2 Understanding Administrator Security 3 Securing User Authentication 5 Understanding Database Roles 6 Implementing Dimens

Contents

Overview 1

Introducing Analysis Services Security 2

Understanding Administrator Security 3

Securing User Authentication 5

Understanding Database Roles 6

Implementing Dimension Security 13

Lab A: Implementing Cube Security 27

Review 32

Module 15:

Implementing Security

purpose, without the express written permission of Microsoft Corporation If, however, your only means of access is electronic, permission to print one copy is hereby granted

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property

 2000 Microsoft Corporation All rights reserved

Microsoft, BackOffice, MS-DOS, Windows, Windows NT, <plus other appropriate product

names or titles Replace this example list with list of trademarks provided by copy editor Microsoft is listed first, followed by all other Microsoft trademarks in alphabetical order > are either registered trademarks or trademarks of Microsoft Corporation in the U.S.A and/or other countries

<This is where mention of specific, contractually obligated to, third party trademarks, which are added by the Copy Editor>

The names of companies, products, people, characters, and/or data mentioned herein are fictitious and are in no way intended to represent any real individual, company, product, or event, unless otherwise noted

Other product and company names mentioned herein may be the trademarks of their respective owners

Instructor Notes

In this module, students will gather the skills necessary to implement security in Microsoft® SQL Server™ 2000 Analysis Services Students will learn the concepts and mechanics of administrative permissions, database roles, and cube roles In the lab, students create and test a role that uses dimension and cell security

After completing this module, students will be able to:

! Understand the use of security in Analysis Services

! Explain administrator security

! Describe authentication methods

! Assign database roles

! Apply dimension security

! Manage cube roles

Materials and Preparation

This section lists the required materials and preparation tasks that you need to teach this module

Required Materials

To teach this module, you need the following materials:

! Microsoft PowerPoint® file 2074A_15.ppt

Preparation Tasks

To prepare for this module, you should:

! Read all the student materials

! Read the instructor notes and margin notes

! Complete all the demonstrations

! Practice the lecture presentation and demonstration

! Complete the lab

! Review the Trainer preparation presentation for this module on the Trainer Materials compact disc

! Review any relevant white papers that are located on the Trainer Materials compact disc

Presentation:

60 Minutes

Lab:

30 Minutes

Module Strategy

Use the following strategy to present this module:

! Introducing Analysis Services Security Explain that Analysis Services allows security to be defined at different levels in online analytical processing (OLAP) databases and cubes—from the server level down to the cell level

! Understanding Administrator Security Explain that to administer Analysis Services, you must be a member of the Microsoft Windows® 2000 or Microsoft Windows NT® OLAP

Administrators group

! Securing User Authentication Introduce ways to connect to Analysis Server Explain that user security is controlled by authentication

! Understanding Database Roles Introduce roles by defining what they are and by giving some key

parameters Introduce the Database Role Manager dialog box and describe

its use Show how to define, delete, edit, and copy a new role Define

database role properties and introduce the Create a Database Role dialog

box and how it allows you to define properties of a role Display the dialog box as you discuss the user interface elements

! Implementing Dimension Security Introduce dimension security Explain that, with dimension security, you can prevent users from viewing specified dimension members, and data associated with those members Show how dimension security is defined by

using the Custom Dimension Security dialog box Display the dialog box

as you discuss the user interface elements

! Managing Cube Roles

Introduce the Cube Role Manager, explain dimension and cell security,

describe advanced cell security permissions, and introduce administration and custom options

Overview

! Introducing Analysis Services Security

! Understanding Administrator Security

! Securing User Authentication

! Understanding Database Roles

! Implementing Dimension Security

! Managing Cube Roles

This module teaches you how to implement security in Microsoft® SQL Server™ 2000 Analysis Services You will learn the concepts and mechanics of administrative permissions, database roles, and cube roles In the lab, you will create and test a role that uses dimension and cell security

After completing this module, you will be able to:

! Understand the use of security in Analysis Services

! Explain administrator security

! Describe authentication methods

! Assign database roles

! Apply dimension security

! Manage cube roles

In this module, you will learn

about Analysis Services

security

Introducing Analysis Services Security

of Analysis Services security:

! Administrator security defines who can administer an Analysis Server

! Cube security allows you to specify which users can read and write to an online analytical processing (OLAP) cube

! Dimension security allows you to restrict users from viewing specified dimension members

! Cell security, the most granular level of security, allows you to define the cells that users can read and write to

! Special options define security for drillthrough, cube linking, and SQL queries

Database security can be applied in Analysis Services only when the Analysis Server is installed on an NTFS file system Therefore, it is

recommended that Analysis Services always be installed on an NTFS partition

Database security can be

applied in Analysis Services

only when the Analysis

Server is installed on an

NTFS file system

Therefore, it is

recommended that Analysis

Services always be installed

on an NTFS partition

Important

Understanding Administrator Security

! Administrator Security Is Based on Windows 2000 or Windows NT 4.0 Security

! The User Who Installs Analysis Services Is Automatically Placed in the OLAP Administrators Group

! Additional Administrators Must Be Added to the OLAP Administrators Group

! All Administrators Have Identical Privileges

! An Administrator Retains Full Access Privileges when Connected through a Client

Administrator security defines who can administer an Analysis Server It is important to understand how to grant administrators the required rights needed

to gain access to the Analysis Server

The following are characteristics of administrator security:

! To administer Analysis Services, you must be a member of the Microsoft Windows® 2000 or Microsoft Windows NT® 4.0 OLAP Administrators

group When Analysis Services is installed, a user group named OLAP

Administrators is automatically created on the Analysis Server

! The user who performs the installation is automatically placed in the OLAP Administrators group

! Any additional administrators must be added to the OLAP Administrators group You add administrators to the OLAP Administrators group outside Analysis Manager by using Windows 2000 or Windows NT 4.0 user administration

! Only one level of administrator privilege exists in Analysis Services An administrator can perform all operations in a database—they can even delete the database

! When connected to a cube through a client, administrators retain full read and write access to all cubes, dimensions, and cells, regardless of any defined cube, dimension, or cell security

Administrators maintain write access to only those cubes that are write-enabled

accounts to administer Analysis Services Administrators should refrain from accessing Web pages, productivity applications, and e-mail applications that support scripts or macros when using the administrative accounts because of the extensive data access rights of administrative account holders

Securing User Authentication

! Direct Connection

# A user connects to Analysis Server directly

# Authentication is based on credentials granted in the user domain account

! HTTP Connection through IIS

# A user connects to Analysis Server through IIS by using HTTP

# Analysis Server relies on IIS authentication

User security is controlled by authentication There are two ways to connect to

an Analysis Server, each with its own authentication method

! Direct Connection When a user attempts to connect to an Analysis Server directly, the server attempts to authenticate based on credentials granted in the domain account

! Internet Information Services (IIS) Users can connect to an Analysis Server through IIS by using Hypertext Transfer Protocol (HTTP) A connection string specifies the data source property

When a user attempts to connect through IIS, Analysis Server relies on IIS authentication If authentication on IIS is unsuccessful, the connection to the Analysis Server is denied

IIS provides several authentication methods For additional information, refer to the Internet Information Services online documentation

$ Understanding Database Roles

! Defining Roles

! Using the Database Role Manager

! Defining Database Role Properties

To give users access to Analysis Services databases and cubes, you must first create roles to assign the access To effectively manage roles, you need to understand the use of roles in Analysis Services, and how to create roles by using Analysis Manager

In the next section, you will learn about the following security topics relating to roles:

! Defining roles

! Using the Database Role Manager

! Defining database role properties

Topic Objective

To describe the concept of

roles in Analysis Services

Lead-in

To give users access to

Analysis Services

databases and cubes, you

must first create roles to

assign the access

Defining Roles

! Are Used to Grant Access to Analysis Services Databases and Cubes

! Must Be Created—None Exist By Default

! Cannot Be Shared Across Multiple Databases

! Are Automatically Created at the Database Level if You Create Roles at the Cube Level

! Are Managed in the Database Role Manager and the Cube Role Manager

You create roles to define the access of users to cube data or data mining models while they connect to Analysis Server through client applications Each role includes a list of user accounts and groups, and defines the access

permissions that these users share

The following are key parameters regarding roles:

! You define roles for Analysis Services databases and for the cubes in the databases

! By default, OLAP databases and cubes have no roles When no roles are defined, only OLAP Administrators have access to the cubes

! You cannot share roles across multiple databases

! When you create a cube role, a database role of the same name is automatically created

• When you delete a cube role, the database role of the same name is not deleted

• Some properties of a database role are overridden by the corresponding cube or virtual cube roles without changing the properties of the database role

Database roles cannot be overridden for a data mining model For more information on data mining, see Module 17, “Introduction to Data

Mining,” in course 2074A, Designing and Implementing OLAP Solutions with Microsoft SQL Server 2000

! There are two user interfaces for defining and managing roles—the

Database Role Manager dialog box and the Cube Role Manager dialog

You create roles to define

the access of users to cube

data or data mining models

while they connect to

Analysis Server through

client applications

Note

Using the Database Role Manager

You use the Database Role Manager dialog box to define and administer roles

for databases Roles can be assigned to cubes, including virtual and linked cubes, and data mining models

Defining a Role

To define a new role for a database, perform the following steps:

1 Right-click the database, and then click Manage Roles

2 Click New in the Database Role Manager dialog box

3 Define the role properties by using the Create a Database Role dialog box

that is discussed later in this section

Deleting a Role

To delete a role in a database, perform the following steps:

1 Right-click the database, and then click Manage Roles

2 In the Database Role Manager dialog box, click the role you want to

delete

3 Click Delete

Editing a Role

To edit a role in a database, perform the following steps:

1 In the Database Role Manager dialog box, click the role you want to edit

2 Click Edit

Topic Objective

To introduce the Database

Role Manager dialog box

Lead-in

You use the Database Role

Manager dialog box to

define and administer roles

for the database

Delivery Tip

Display the Database Role

Manager dialog box as you

discuss the user interface

elements

Copying a Role

To copy a role in a database, perform the following steps:

1 In the Database Role Manager dialog box, click the role you want to copy

2 Click Duplicate

3 Enter a name for the new role, and then click OK

Defining Database Role Properties

The Create a Database Role dialog box allows you to define the following

properties of a role:

! The users and user groups that belong to the role

! The cubes to which the role is assigned

! The data mining models to which the role is assigned

! The shared dimensions for which you want to restrict user access

The Create a Database Role dialog box contains interface elements similar to the Create a Cube Role dialog box Both interfaces are straightforward to use

when defining database and cube security

Cell security, discussed later, requires that security be enforced on the client

Membership

On the Membership tab, you specify which users or user groups belong to the

role Users and user groups must be predefined by using Windows 2000 or Windows NT 4.0 user administration

Topic Objective

To explain database role

properties

Lead-in

The Create a Database

Role dialog box allows you

to define properties of a

role

Delivery Tip

Display the Create a

Database Role dialog box

as you discuss the user

interface elements

Note

Cubes

On the Cubes tab, you specify the cubes to which the role is assigned A role

can be assigned to any type of cube—regular, virtual, or linked After a role is assigned to a cube, some properties of the role can be customized for the cube without changing the database role

Mining Models

On the Mining Models tab, you specify the data mining models to which the

role is assigned

Dimensions The Dimensions tab allows you to restrict access to dimension members Only

shared dimensions display on this tab To restrict access to a private dimension,

you must use the Cube Role Manager dialog box

Implementing Dimension Security

By using dimension security, you prevent users from viewing specified dimension members and data associated with those members For example, the preceding illustration shows a dimension security rule that limits access to

Roberta Damstra employees Any users connecting to the cube through this

role will see data and dimension members for only Roberta Damstra and her subordinate employees at lower levels in the Employee dimension

Dimension security is defined by using the Custom Dimension Security dialog

box, which contains three tabs

Basic Tab The Basic tab on the Custom Dimension Security dialog box provides the

following security properties:

! Select visible levels

This pane allows you to specify the top and bottom visible levels in the dimension Use these settings if you want to deny access to entire levels

! Select members

This pane displays a check box next to each dimension member Selected members are visible to users assigned to the role Deselected members are not visible to the users

Topic Objective

To introduce dimension

security

Lead-in

By using dimension security,

you prevent users from

viewing specified dimension

members and data

associated with those

members

Delivery Tip

Display the Custom

Dimension Security dialog

box as you discuss the user

interface elements

Key Point

By using dimension security,

you prevent users from

viewing specified dimension

members and data

associated with those

members

Advanced Tab For complex dimension security, the Advanced tab allows you to enter

multidimensional expression (MDX) statements that define the dimension members viewable by users assigned to the role

On the Advanced tab:

! Data inputs from the Basic tab are represented as MDX statements You can

edit the MDX statements directly in the edit boxes, or you can click the

ellipsis buttons (…) to display the MDX Builder dialog box

! Separate MDX statements define the top viewable level, the bottom viewable level, the visible members, and the invisible members

Common Tab The Common tab lists two important features:

! Visual Totals

When you enabled this property, members that are hidden because of dimension security are not included in aggregations

When you do not enable the Visual Totals property, a parent member value

may not equal the value of its visible children In addition, when visual totals are disabled, users may be able to deduce the values for hidden members When you hide dimension members, you normally enable the

Visual Totals property to prevent these problems from occurring

Visual totals cannot be enabled for a cube containing a measure based

on a distinct count For more information on distinct count measures, see Module 6, “Working with Cubes and Measures,” in course 2074A,

Designing and Implementing OLAP Solutions with Microsoft SQL Server

2000

! Default Member

For users assigned to the role, this property—an MDX statement—specifies the default member for the defined dimension The MDX statement can be a simple member name, or a complex expression that evaluates the member name dynamically

Note

Demonstration: Defining a New Database Role

In this demonstration, you learn how to add a new role to the FoodMart 2000

database

! To display the Create a Database Role dialog box

1 In Analysis Manager, right-click the FoodMart 2000 database, and then click Manage Roles

2 In the Database Role Manager dialog box, click New

! To specify basic properties

1 In the Create a Database Role dialog box, type My New Role in the Role

name box

2 In the Enforce on list, click Server

! To specify role membership

1 In the Create a Database Role dialog box, click the Membership tab, and then click Add

2 In the Add Users and Groups dialog box, click any user group, and then click Add

3 Click OK to close the Add Users and Groups dialog box

Topic Objective

define a database role

Lead-in

In this demonstration, you

learn how to add a new role

! To assign the role to a cube

1 In the Create a Database Role dialog box, click the Cubes tab

2 Select the HR cube check box

3 Click OK to close the Create a Database Role dialog box

4 Click Close to close the Database Role Manager dialog box

5 In the FoodMart 2000 database, expand the Cubes folder

6 Click the HR cube, and then click the Meta Data tab

7 In the Meta Data pane, scroll down to Roles Verify that role My New

Role is assigned to the cube