This tutorial explains how to manage the authentication process when working with SQL Server Analysis Services (SSAS).
We support three different approaches:
In SQL Server Analysis Services, access rights are provided based on roles. More information about role configuration can be found in this tutorial from Microsoft.
After roles are configured in Analysis Services, they can be specified in Flexmonster reports by using the roles property. This property is available for both XMLA and the Accelerator. The following sample demonstrates how to specify roles:
{
dataSource: {
dataSourceType: "microsoft analysis services",
// URL to msmdpump.dll
proxyUrl: "http://olap.flexmonster.com/olap/msmdpump.dll",
catalog: "Adventure Works DW Standard Edition",
cube: "Adventure Works",
// roles from SSAS, you can add multiple roles separated by comma
roles: "Sales Manager US"
}
}
Open the example on JSFiddle.
If you want to add username/password protection, you need to use the Accelerator and configure MSMDPUMP. Flexmonster Accelerator is required because the browser cuts off authorization headers that are added by JavaScript. MSMDPUMP configuration is required to prevent SSAS from ignoring the username/password from the connection string and instead using the credentials from the active Windows user in direct connections.
To configure username/password protection follow these steps:
Set up an HTTP endpoint for Analysis Services on the IIS server. Skip this step if this is already done. Refer to the MSDN documentation for information on IIS configuration. In this step, you also configure authentication types.
A username and password are defined in the flexmonster.config file for the Accelerator on the server side. These credentials are used to start the Accelerator, check the connection to the data source, and connect anonymous users. It is strongly recommended to create a user for the Accelerator with default privileges. DO NOT use an admin account for this purpose.
Navigate to Control Panel > Administrative Tools > Computer Management and choose System Tools > Local Users and Groups > Users. Add a new user (e.g. flexmonster) by right-clicking as shown in the screenshot.
Open flexmonster.config and specify the following CONNECTION_STRING parameters:
CONNECTION_STRING=Data Source=<endpoint_url>;UID=<username>;Password=<password>;
Where:
<endpoint_url> – URL to the HTTP endpoint (i.e. http://localhost/ssas/msmdpump.dll)<username> – username of the default user (e.g. flexmonster)<password> – password of the default userThe Accelerator is ready to be launched and should successfully connect to the data source. Just run the flexmonster-proxy-ssas.exe with administrator privileges.
You can check if the Accelerator is up and running by navigating to its URL in the browser (http://localhost:50005 by default).
If you already have an ASP.NET portal that handles users and an authorization process, the most convenient option is to embed the Accelerator into that system. For this purpose, we recommend referring the Accelerator as a DLL and integrating a Web API endpoint. Endpoint access is fully controlled by the ASP.NET portal so you can manage security in any way you want. The overall process is described in the diagram below. For more details regarding referring the Accelerator as a DLL please read our tutorial.
