asked on December 31, 2019
Hi Mykhailo\Valeria,
This is Srinivas from Invasystems and I am a colleague of Nagaraj.
We were able to identify the issue for this error but don’t know how to proceed further.
Actually, what is happening is that the accelerator is trying to connect the SSAS cube using NT Authority\System user. As this is a super user our role based authentication is failing if we give access to cube for SYSTEM user.
So we don’t want to give system user any admin rights to cube.
Ideally, the accelerator should connect to the cube using anonymous credential of website in IIS (domain\user).
Can you please tell us why accelerator is trying to connect to the cube using NT Authority\System user? And not the impersonate user?
Furthermore, to investigate more I followed the steps as per the below instructions:
https://www.flexmonster.com/doc/configuring-authentication-process/#!credentials
in step 3, I am trying to pass the msmdpump olap url to connection string in Config file. But after doing that, the accelerator is not starting.
Can you please tell us why we are facing this issue?
Can you please help us at the earliest?
Thanks,
Srinivas
⋅ December 31, 2019
Hello Srinivas,
Thank you for your question.
Speaking of Flexmonster Accelerator, it uses NT Authority\System user credentials out of the box to access SSAS cube. In such a case, when nothing else is configured, it can still show the data.
After the msmdpump file with new users credentials is configured, please restart the cube and the accelerator. Then you need to carefully define the connection string as it is described in step 3 and to start the accelerator instance with a new connection string. Please note that if the user changes and you need to connect with a new user's permissions, the accelerator needs to be restarted with the connection string that includes new user's credentials.
In case the issue still occurs, please start the Accelerator in terminal and check the error message.
That should help you to define the reason of the issue.
Please let us know if you have any other question.
Regards,
Dmytro
⋅ January 1, 2020
Hi Dmytro,
Thanks for your answer. We will look into it. In the meantime while awaiting a response, I downloaded a sample mvc project from your forum. This sample connected to the SSAS via accelerator dll. We have made it custom to our cube. The code is working fine. Actually we have a cube that has a role that restricts the data based on company code. If you are aware to implement roles we need to impersonate the user using effectivename in the connection string. The role is working fine as we have checked via excel and ssms. But when I use effectivename in js file in accelerator then we get the output but the data is not getting restricted. We have used customdata aswell but it also does not work.I have decompiled the dll to see the code. The connection string does use effectiveusername but I am not sure why the code is not restricting the data. I am unable to attach the file but have forwarded the code to your team. Is it possible for you to modify the code to include the source code of DLL into it. I can debug the issue then on my machine.
⋅ January 3, 2020
Hello Srinivas,
Thank you for the update.
Regarding the roles, we would like to notice that you can specify the necessary role directly in the report. Please take a look at the following sample: http://jsfiddle.net/flexmonster/7g82cnn3/
Here, as you can see, the role Sales Manager US is used and the Geography dimension is restricted only to show the data for the United States. Is it possible to use roles for your use case?
As for the effectiveUserName, we confirm that it is passed to connection string and the results of the queries are shown "as is". So, we can only recommend double-checking the SSAS server users /groups configuration. The SSAS security configuration can be tricky, but most probably the issue lies somewhere on that side, not on the JS side.
As for the MVC sample, we will answer in the following thread - https://www.flexmonster.com/question/accelerator-dll-not-working-when-i-decompile-the-dll/.
Regards,
Ian
⋅ January 3, 2020
Hi Ian,
Thanks for your reply. We tried with roles attribute on the report. The pivot chart does not run with that setting at all.Hence we had to remove it. As I said the cube is displaying the restricted data when connected via Excel or SSMS. Even in excel when we connect via connection string we pass Effectiveusername in it. And the excel data is restricted to the user specified in EffectiveUserName. So I am confident that the cube is working fine with its results. I also used a sample asp.net code to connect to cube with ADOMDClient the same class that you are using. If I give effectiveusername in the connectionstring the cube gives restricted data in this application. Hence it should also work with accelerator. But I am not sure why it is not working only for accelerator. If you want I can share with you the sample asp code.
Another thing, we have a role based on users that would be authenticated via connection string.I donnot think your role Sales Manager US is based on user being passed on to the cube. Let me know if you want to know as to how we have created the role in our cube.
Many Thanks,
Srinivas
⋅ January 6, 2020
Hello Srinivas,
Thank you for providing additional details.
Our team needs to spend some more time on effectiveUserName case research.
We will notify you as soon as we found something.
Regards,
Dmytro
⋅ January 9, 2020
Hello Srinivas,
Thank you for giving us some time and sharing the code via email.
We have reviewed the proposed approach with Impersonator and it looks promising.
To make it configurable, we recommend the following:
FlexmonsterProxyController// if Impersonator is injected
using (new Impersonator(args))
{
connection.Open();
}
customData, etc.) as well as using some pre-configured values.
So, you will be able to use our official Accelerator DLL and use custom Impersonator to dynamically impersonate the users.
We can implement and release the described approach in the next minor release (ETA Jan 27).
Please let us know your thoughts.
Regards,
Ian