Protection of the sensitive data is a top priority for our company. This tutorial covers all security aspects of using Flexmonster Accelerator to connect to SSAS cubes. Follow the sections:
One of the most popular questions we get is how the data from the OLAP cube can be transferred to Flexmonster Pivot. Flexmonster Accelerator serves as an additional server-side layer that helps to restrict access to the database from outside completely. When connecting to the data source inside the pivot table, the URL to the Accelerator is specified instead of the SSAS server URL. Flexmonster sends the requests to the Accelerator. Then Flexmonster Accelerator communicates with the SSAS server and gets the necessary data. This data is sent back to the client-side from the Accelerator. The flowchart below describes the process:
To ensure the data security at the server-side, the Accelerator doesn’t accept requests from any other web applications, only from Flexmonster. Is it not possible to send HTTP request directly to Flexmonster Accelerator without using Flexmonster Pivot. Also, the Accelerator doesn’t accept response/request that was changed during the communication process. Each response/request contains a checksum for the package to ensure that it was not changed.
The only requirement is a necessity to open additional port on the server for the Accelerator. However, this is not a specific requirement for our component but a strong restriction imposed by the browser’s security. It is absolutely necessary to use CORS and extra port and there is no workaround. Otherwise, the clients’ browser will not allow communicating with the server.
As long as only the Accelerator needs to communicate with the client-side, it is recommended to restrict any external access to the OLAP cube. In this case, the access to the cube is available exclusively on the local server. This method increases security and protects against external threats:
In the case when the SSAS server and the Accelerator are located on different servers, it is necessary to open the port on the SSAS server for the Accelerator.
To ensure the data security at the client-side, it’s not possible to read the data from the server without Flexmonster Pivot. Each response/request contains a checksum for the package. If this checksum is invalid, an error message is shown instead of the data.
As much as the connection between the Accelerator and Flexmonster Pivot is secured, using of HTTP protocol poses a treat because it does not encrypt the data. HTTPS protocol encrypts the data and protects it from the interception. Flexmonster Accelerator supports HTTPS, for more details refer to the configuration tutorial.
Often it is necessary to limit the access to the data based on a certain user role. Flexmonster provides several options to manage data access levels. Here are the security models available:
One of the installation options for the Accelerator is integrating it into the back-end as a separate ASP.NET controller. This eliminates the necessity to configure firewall settings and simplifies the updating process. Referring the Accelerator as a DLL also allows using your custom authorization system. Such possibility is used to manage security in any desired way. For more instructions refer to the custom authorization tutorial.