Operational Considerations

Automatic Detection of End User’s Domain Logon Authorization

Microsoft® SQL Server™ OLAP Services automatically detects a connecting end user’s logon user name and authorization obtained when the end user logged onto the domain. If when the end user connects, he or she specifies a user name and password different than his or her logon user name and password, the specified user name and password are ignored.

Service Logon Account Permissions to Data Sources

The service name for OLAP Services is MSSQLServerOLAPService. The logon account associated with this service must have permissions to access data sources that OLAP Services administrators can access through the OLAP Manager. Otherwise, the OLAP Services administrators will not be able to process the multidimensional objects they maintain using the OLAP Manager.

The service logon account is specified in the Service dialog box of Microsoft Windows NT® on the server computer.

To display the Service dialog box

  1. On your desktop click Start, point to Settings, and then click Control Panel.
  2. Double-click Services.
  3. Click MSSQLServerOLAPService.
  4. Click Startup.

For more information about the Service dialog box, refer to its Help.

Accessing Your Cube from Another Workstation

It is possible for a user who creates a cube to be denied access to the cube. This can occur when the user logs on at a workstation other than the one hosting OLAP Services and attempts to view data in the cube on the server computer. A common cause for this problem is that the user was logged on under a local account on the server computer when the cube was created, and then logged on under a local account on the second computer. The cube owner’s access control list (ACL) reflects the local account on the server computer, not the local account on the second computer, and the user is denied access.

To avoid this problem, always log on under a domain account when you create cubes, and then log on under the same domain account on other computers.

Alternatively, you can assign a role to the cube when it is created. You are then able to access the cube from any computer, if you log on under an account granted access by the role.

Changing a User’s Access Rights

The time that elapses between a change to a user’s access rights in OLAP Services and the actual effect of the change depends on the value of the Auto Synch Period initialization property, the user’s actions, and how long the user maintains a connection. The value of this property controls the frequency (in milliseconds) of client/server synchronization, including revalidation of access rights. This value defaults to 10,000 milliseconds (10 seconds), but is passed to OLAP Services in each connection string. Thus, the default can be overridden by users and client applications and can vary from user to user and client to client.

If the Auto Synch Period property is set to null or 0 (zero), synchronization does not occur at a constant interval. It occurs due to users’ actions; therefore, the time that synchronization will occur cannot be predicted accurately. In this case, changes made to access rights while a user is connected to a cube do not take effect until synchronization occurs or the user disconnects from the cube. After a user has been granted access to a cube, that user can remain connected to the cube for the duration of a query session until synchronization occurs. A user cannot be forcibly disconnected from a cube during a query session after access has been granted. If the user’s access rights are removed during the query session, the user will not be able to reconnect to the cube after disconnecting from it.

If the Auto Synch Period property is set to a non-null, non-zero value, at the specified interval, users’ logon user names and authorizations are compared to their access rights defined in OLAP Services. At that time, changes to a user’s access rights that occurred since the last synchronization take effect immediately. For example, if a user’s access rights to a cube have been removed, the user is immediately unable to access the cube.

Protecting OLAP Data

It is important to for you to protect the security of your OLAP data. As with all database products, this includes judicious assignment of administrative permissions. All users who have administrative permissions to OLAP servers should be careful when they use Web browsers, productivity applications, and e-mail.

It is recommended that you establish specific Windows NT accounts to administer OLAP Services and require administrators to refrain from accessing Web pages, productivity applications, and e-mail applications that support scripts or macros when using these administrative accounts. If it is necessary to use an application that supports scripts or macros when you are logged on as an administrator, set security to the highest level and never accept any control or object that is not marked script safe. Note that Decision Support Objects (DSO) is not marked script safe, and your browser will provide a prompt before loading DSO. You should reject the loading of DSO in this way unless you are certain the application loading it is trusted.

It is also recommended that you use Windows NT Authentication for connections between OLAP servers and SQL Servers that are used as data sources for OLAP databases.

(c) 1988-1998 Microsoft Corporation. All Rights Reserved.