This tutorial explains how to manage the authentication process when working with SQL Server Analysis Services (SSAS).
We support three different approaches:
In SQL Server Analysis Services, access rights are provided based on roles. More information about role configuration can be found in this tutorial from Microsoft.
After roles are configured in Analysis Services, they can be specified in Flexmonster reports by using the roles
property. This property is available for both XMLA and the Accelerator. The following sample demonstrates how to specify roles
:
{
dataSource: {
type: "microsoft analysis services",
/* URL to msmdpump.dll */
proxyUrl: "http://olap.flexmonster.com/olap/msmdpump.dll",
catalog: "Adventure Works DW Standard Edition",
cube: "Adventure Works",
/* roles from SSAS, you can add multiple
roles separated by comma */
roles: "Sales Manager US"
}
}
Open the example on JSFiddle.
Starting from version 2.8.2, Windows authorization is available when connecting to SSAS via XMLA.
Follow the steps below to configure Windows authorization for the XMLA connection.
Skip this step if you already have XMLA configured. Otherwise refer to this article: how to set up an HTTP endpoint for accessing an Analysis Services instance.
In CORS, the browser sends the OPTIONS
preflight request to the server. This request determines which request methods and headers the server allows.
The OPTIONS
preflight request cannot contain any credentials, so Windows Integrated Authentication will reject this request and ask for authentication. Thus, the server should always accept the preflight request. To allow the OPTIONS
request, see the following guide: CORS tutorial.
Windows authorization should be allowed on the client side as well. To enable the authorization on the client, set the withCredentials
property of the Data Source Object to true:
var pivot = new Flexmonster({
container: "pivotContainer",
toolbar: true,
report: {
dataSource: {
type: "microsoft analysis services",
proxyUrl: "http://localhost/OLAP/msmdpump.dll",
catalog: "Adventure Works DW Standard Edition",
cube: "Adventure Works",
withCredentials: true
}
}
});
After applying the configurations, the requests to Microsoft Analysis Services will be performed using your current Windows user.
Starting from version 2.8.5, Windows authorization is supported for Flexmonster Accelerator.
Below is a detailed guide on how to configure Windows authorization for Flexmonster Accelerator.
Windows authorization on the server side can be enabled in the flexmonster.config
file – a special configuration file for Flexmonster Accelerator. In this file, set the WINDOWS_AUTH
property to true
to enable the authorization:
WINDOWS_AUTH=true
When enabled, the authorization requires certain origins to be defined in the Access-Control-Allow-Origin
header. Origin is a domain that sends requests to Flexmonster Accelerator (e.g., http://localhost:8080
or https://example.com
). To allow the origin to send requests to the Accelerator, specify the ALLOW_ORIGIN
property in the flexmonster.config
file:
ALLOW_ORIGIN=http://localhost:8080
Several origins can be defined as follows:
ALLOW_ORIGIN=http://localhost:8080, https://example.com
Windows authorization should be allowed on the client side as well. To enable the authorization on the client, set the withCredentials
property of the Data Source Object to true:
var pivot = new Flexmonster({
container: "pivotContainer",
toolbar: true,
report: {
dataSource: {
type: "microsoft analysis services",
proxyUrl: "http://localhost:50005",
catalog: "Adventure Works DW Standard Edition",
cube: "Adventure Works",
binary: true,
withCredentials: true
}
}
});
To apply the configurations, restart Flexmonster Accelerator. You can check if the Accelerator is up and running by navigating to its URL in the browser (http://localhost:50005 by default).
Flexmonster Accelerator will automatically use your current Windows user to perform impersonated requests to Microsoft Analysis Services.
If the page with Flexmonster Pivot is opened in the Incognito browser window, the pop-up window prompting to enter your login and password should appear. After you log in with your Windows user credentials, Flexmonster Accelerator should successfully connect to the data source.
If you already have an ASP.NET portal that handles users and an authorization process, the most convenient option is to embed the Accelerator into that system. For this purpose, we recommend referring the Accelerator as a DLL and integrating a Web API endpoint. Endpoint access is fully controlled by the ASP.NET portal so you can manage security in any way you want. The overall process is described in the diagram below. For more details regarding referring the Accelerator as a DLL please read our tutorial.
You may be interested in the following articles: