This tutorial explains how to manage authentication process when working with MS Analysis Services.
We suggest three different approaches:
In SQL Server Analysis Services access rights are provided based on roles. More information about roles configuration can be found in this tutorial from Microsoft.
After roles are configured in Analysis Services, they can be specified in Flexmonster reports by using roles property. This property is available for both XMLA and Accelerator. The following sample demonstrates how to specify roles:
{
dataSource: {
dataSourceType: "microsoft analysis services",
// URL to msmdpump.dll
proxyUrl: "http://olap.flexmonster.com/olap/msmdpump.dll",
catalog: "Adventure Works DW Standard Edition",
cube: "Adventure Works",
// roles from MSAS, you can add multiple roles separated by comma
roles: "Sales Manager US"
}
}
Open the example on JSFiddle.
If you want to add username/password protection, you need to use Accelerator and configure MSMDPUMP. Accelerator is required because browser cuts off authorization header added via JavaScript. MSMDPUMP configuration is required because in case of direct connection MSAS ignores username/password from the connection string and uses credentials of current active Windows user.
To configure username/password protection please follow the steps:
First of all, you need to set up HTTP endpoint for Analysis Services on IIS server. If it is already done, skip this step. Regarding IIS configuration, please refer to the MSDN documentation. In this step, you also configure authentication types.
One username/password is used in the flexmonster.config file for the Accelerator on the server side. In general, Accelerator will use these credentials if client-side report does not contain own credentials. Also, these credentials are used to start the Accelerator, check connection to the data source and connect anonymous users. So, it is recommended to create a user for Accelerator with default privileges and DO NOT use an admin account for this purpose.
Navigate to Control Panel > Administrative Tools > Computer Management and choose System Tools > Local Users and Groups > Users. Add a new user (i.e. flexmonster) by right-click as shown in the screenshot.
Open flexmonster.config and specify following CONNECTION_STRING parameters:
CONNECTION_STRING=Data Source=<endpoint_url>;UID=<username>;Password=<password>;
Where:
<endpoint_url> – URL to HTTP endpoint (i.e. http://localhost/ssas/msmdpump.dll)<username> – username of the default user (i.e. flexmonster)<password> – password of the default userAccelerator is ready to be launched and should successfully connect to the data source. Just run the flexmonster-proxy-ssas.exe with Administrator privileges.
You can check the Accelerator is up and running by navigating to its URL in the browser (i.e. http://localhost:50005).
If you already have ASP.NET portal that handles users and authorization process, the most convenient option is to embed Accelerator into that system. For this purpose, we recommend referring Accelerator as a DLL and integrate Web API endpoint. Endpoint access is fully controlled by ASP.NET portal so you can manage the security the way you want. The overall process is described in the diagram below. For more details regarding referring Accelerator as a DLL please read our tutorial.
