This tutorial explains how to manage the authentication process when working with SQL Server Analysis Services (SSAS).
We support three different approaches:
In SQL Server Analysis Services, access rights are provided based on roles. More information about role configuration can be found in this tutorial from Microsoft.
After roles are configured in Analysis Services, they can be specified in Flexmonster reports by using the roles property. This property is available for both XMLA and the Accelerator. The following sample demonstrates how to specify roles:
dataSource: {
type: "microsoft analysis services",
/* URL to msmdpump.dll */
proxyUrl: "http://localhost/OLAP/msmdpump.dll",
catalog: "Adventure Works DW Standard Edition",
cube: "Adventure Works",
/* roles from SSAS, you can add multiple
roles separated by comma */
roles: "Sales Manager US"
}
Open the example on JSFiddle.
Starting from version 2.8.2, Windows authentication is available when connecting to SSAS via XMLA.
Follow the steps below to configure Windows authentication for the XMLA connection.
Skip this step if you already have XMLA configured. Otherwise refer to this article: how to set up an HTTP endpoint for accessing an Analysis Services instance.
In CORS, the browser sends the OPTIONS preflight request to the server. This request determines which request methods and headers the server allows.
The OPTIONS preflight request cannot contain any credentials, so Windows Integrated Authentication will reject this request and ask for authentication. Thus, the server should always accept the preflight request. To allow the OPTIONS request, see the following guide: CORS tutorial.
Windows authentication should be allowed on the client side as well. To enable the authentication on the client, set the withCredentials property of the DataSourceObject to true:
var pivot = new Flexmonster({
container: "pivotContainer",
toolbar: true,
report: {
dataSource: {
type: "microsoft analysis services",
proxyUrl: "http://localhost/OLAP/msmdpump.dll",
catalog: "Adventure Works DW Standard Edition",
cube: "Adventure Works",
withCredentials: true
}
}
});
After applying the configurations, the requests to Microsoft Analysis Services will be performed using your current Windows user.
Starting from version 2.8.5, Windows authentication is supported for Flexmonster Accelerator.
Follow the guides below to configure Windows authentication for your type of the Accelerator.
Windows authentication on the server side can be enabled in the flexmonster.config file. To open this file, go to Flexmonster Accelerator Manager and click the Config button.
In flexmonster.config, set the WINDOWS_AUTH property to true to enable the authentication:
WINDOWS_AUTH=true
When enabled, the authentication requires certain origins to be defined in the Access-Control-Allow-Origin header. Origin is a domain that sends requests to Flexmonster Accelerator (e.g., http://localhost:8080 or https://example.com). To allow the origin to send requests to the Accelerator, specify the ALLOW_ORIGIN property in the flexmonster.config file:
ALLOW_ORIGIN=http://localhost:8080
Several origins can be defined as follows:
ALLOW_ORIGIN=http://localhost:8080, https://example.com
To apply new configs, restart the Accelerator using Flexmonster Accelerator Manager: click the Stop button and then click Start.
Windows authentication should be allowed on the client side as well. To enable the authentication on the client, set the withCredentials property of the DataSourceObject to true:
var pivot = new Flexmonster({
container: "pivotContainer",
toolbar: true,
report: {
dataSource: {
type: "microsoft analysis services",
proxyUrl: "http://localhost:50005",
catalog: "Adventure Works DW Standard Edition",
cube: "Adventure Works",
binary: true,
withCredentials: true
}
}
});
To apply the configurations, restart Flexmonster Accelerator. You can check if the Accelerator is up and running by navigating to its URL in the browser (http://localhost:50005 by default).
Flexmonster Accelerator will automatically use your current Windows user to perform impersonated requests to Microsoft Analysis Services.
If the page with Flexmonster Pivot is opened in the Incognito browser window, the pop-up window prompting to enter your login and password should appear. After you log in with your Windows user credentials, Flexmonster Accelerator should successfully connect to the data source.
This guide contains the following sections:
To illustrate how Windows authentication can be configured in an Accelerator DLL project, we added the windows-authentication branch to our sample GitHub application.
To run the sample project, complete these steps:
Step 1. Download the .zip archive with the windows-authentication branch or clone it from GitHub with the following command:
git clone -b windows-authentication https://github.com/flexmonster/pivot-accelerator-dll
Step 2. Open the sample project in Visual Studio using the Flexmonster Accelerator MVC.sln solution file.
Step 3. Update the NuGet packages if needed:
Manage NuGet Packages in the context menu.Updates tab and check the Select all packages checkbox.Update button.Step 4. Open the FlexmonsterConfig.cs file and specify your data source (e.g., localhost):
public static void Register()
{
Flexmonster.Accelerator.Controllers.FlexmonsterProxyController
.ConnectionString = "Data Source=yourDataSource";
// Other configurations
}
Step 5. Now go to the Index.cshtml view and set your values for the catalog and cube properties:
dataSource: {
dataSourceType: "microsoft analysis services",
proxyUrl: "/api/accelerator/",
catalog: "Your Catalog",
cube: "Your Cube",
binary: true,
withCredentials: true
}
Step 6. Run the sample project by clicking the IIS Express button on the toolbar:
To see the result, open http://localhost:55158/ in your browser. Flexmonster Accelerator will automatically use your current Windows user to perform impersonated requests to Microsoft Analysis Services.
Now let’s see which configurations you should set to enable Windows authentication in your project:
Step 1. Enable authentication on the Accelerator’s side in the FlexmonsterConfig.cs file:
public static void Register()
{
// Other configurations
Flexmonster.Accelerator.Controllers.FlexmonsterProxyController
.AuthEnabled = true;
Flexmonster.Accelerator.Controllers.FlexmonsterProxyController
.Impersonator = new WindowsImpersonatorFactory();
// Other configurations
}
Step 2. In the Web.config file, specify the <security> element to define authentication configurations for the server:
<system.webServer> <!-- Other tags --> <security> <authentication> <anonymousAuthentication enabled="true" /> <windowsAuthentication enabled="true" /> </authentication> <authorization> <remove users="*" roles="" verbs=""/> <add accessType="Allow" users="?" verbs="OPTIONS"/> <add accessType="Deny" users="?" verbs="GET,PUT,POST,DELETE"/> <add accessType="Allow" roles="Users" /> </authorization> </security> <!-- Other tags --> </system.webServer>
Learn more about the <security> element in the Microsoft documentation.
Step 3. In the pivot-accelerator-dll/.vs/Flexmonster Accelerator MVC/config/applicationhost.config file, find the anonymousAuthentication element and set its enabled attribute to true. Then do the same for the windowsAuthentication element:
<authentication> <anonymousAuthentication enabled="true" userName="" /> <!-- Other configs --> <windowsAuthentication enabled="true"> <!-- Other configs --> </windowsAuthentication> </authentication>
Note that the .vs/ folder appears after opening the project in Visual Studio, and it is hidden by default. See the Microsoft documentation for guidance on displaying hidden folders.
Step 4. Set the dataSource.withCredentials property to true in your .cshtml page (e.g., Index.cshtml):
dataSource: {
dataSourceType: "microsoft analysis services",
proxyUrl: "/api/accelerator/",
catalog: "Your Catalog",
cube: "Your Cube",
binary: true,
withCredentials: true
},
Now you can use Windows authentication in your Accelerator DLL project.
If you already have an ASP.NET portal that handles users and an authorization process, the most convenient option is to embed the Accelerator into that system. For this purpose, we recommend referencing the Accelerator as a DLL and integrating a Web API endpoint. Endpoint access is fully controlled by the ASP.NET portal so you can manage security in any way you want. The overall process is described in the diagram below. For more details regarding referencing the Accelerator as a DLL please read our tutorial.
You may be interested in the following articles: