Login to participate
Endpoint Management & Virtualization ArticlesRSS

IT Analytics Solution, Part 4: Securing IT Analytics Solution

dprager's picture
dprager
June 11th, 2008
Filed under: , ,

This section provides an overview of the security concepts necessary to understand the interactions between application components of IT Analytics Solution as well as end users. In addition, step by step instructions are provided to configure end user security for a standard configuration, with supplementary information relevant to advanced security options.

The recommended best practice for management of a standard security configuration where all end users of IT Analytics will be granted the same rights to view cube and report information is to create a single Domain Security Group that contains all users and groups of users that require access to IT Analytics. For the purpose of this configuration example, it is assumed that this parent group is called "IT Analytics Users", and this group will be referenced throughout the following instructions.

The following sections provide an overview of each distinct application tier, the security configurations relevant to IT Analytics, and configuration instructions for our standard configuration scenario.

Topics Include:

SQL Server Database Engine

Altiris IT Analytics Solution provides configuration and end-user functionality that is hosted inside the Notification Server. As such, IT Analytics Solution is designed to support all database versions supported by Notification Server 6.0 SP3. In most scenarios this will either be a SQL Server 2000 or SQL Server 2005 Database Engine.

In addition to solution specific configuration information and end user functionality that is accessible through the Altiris Console, the relational data hosted by the Altiris and Altiris_Incidents databases acts as the source for the cubes installed in SQL Server 2005 Analysis Services. During the configuration of the Analysis Server section of the Connection Settings page in the IT Analytics Solution Configuration folder, two data sources are created in the specified SQL Server 2005 Analysis Services Database that inherit the currently configured settings for the host Notification Server's Altiris and Altiris_Incidents databases. These data sources are utilized to connect from Analysis Services to the Database Engine at the time of cube processing. Outside of storing the IT Analytics Solution configuration settings, events, and cube processing from Analysis Services, there are no other interaction with the SQL Server Database Engine by IT Analytics Solution.

Specific configurations within Notification Server may cause the data sources in Analysis Services to fail to connect to the relational Database Engine, so it is important to highlight how and when the data sources in Analysis Services are created, and how to reconfigure the data sources if a connection fails. Specifically, at the point in time during the configuration of the Analysis Server section of the Connection Settings that the Save Database Setting button is clicked for the Analysis Server Database field, the current connection settings for the Notification Server's Altiris and Altiris_Incidents databases are used to either create new data sources in the Analysis Server Database if they do not already exist, or to overwrite the existing settings if they do exist. The impact of this is that in order to repair data sources that fail to connect, simply clicking the edit icon for the Analysis Server Database field, followed by clicking the Save Database Settings button without altering the configuration will set the data sources to the current values. This step is necessary whenever the database settings for Notification Server are altered.

If more advanced configuration of data sources is required, such as changes to the desired host name or credentials, the data sources can be directly manipulated via the SQL Server Management Studio, and the configuration changes will persist as long as the Analysis Server Database is not re-configured per the instructions above. This may be necessary, for example, in a scenario where the Notification Server is configured to connect to the Altiris database via "localhost", and the Analysis Server Database is not on the same host as the Notification Server and Database Engine.

Note: The actual names of the Altiris and Altiris_Incidents databases referred to may vary per Notification Server instance.

SQL Server 2005 Analysis Services

SQL Server 2005 Analysis Services is accessed during the configuration of the Analysis Services Database and its contents, such as cubes and dimensions, as well as by end users accessing the cubes as a source of information. During configuration of the Analysis Services Database through the IT Analytics Solution configuration pages, the currently configured Application Identity of the Notification Server is used to access Analysis Services.

In order for the Application Identity to configure objects in the designated Analysis Server, one of the following must be true:

  • The Application Identity is a local administrator on the Analysis Services host computer, which grants it administrator rights to the local Analysis Services instance.
  • The Application Identity is a member of the designated Analysis Services instance Server role. This allows users that are not local administrators to have administrative privileges on the Analysis Services instance. To add a user to the Analysis Services Server role, from the SQL Server Management Studio, access the Properties dialog for the Analysis Services instance, and navigate to the Security page. From this page you can add the Application Identity user or a group to which this user belongs.
  • The target Analysis Services Database for IT Analytics Solution is already created on the designated Analysis Services instance prior to configuration of IT Analytics Solution, and the Application Identity is in a role in that database that has Administrative privileges. Details on creating roles in Analysis Services can be found later in this section.

The most common access to Analysis Services is for end users to connect to cubes to perform analysis and run reports. These connections will commonly be through the Pivot Tables accessible in the IT Analytics tab in Notification Server, as the data source to a SQL Server Reporting Services report through the IT Analytics tab in Notification Server, or by using 3rd party applications designed for cube browsing, including Microsoft SQL Server Management Studio, Microsoft Excel, ProClarity, and so forth.

In each case, end user rights to cubes in Analysis Services are managed through the use of Analysis Server roles. To view a cube, a user must be in a role that has read access to a cube. Fine grain control of what cubes, what dimensions of cubes, and even the actual dimension members and data within cubes can be controlled through Analysis Server roles. For ease of configuration, basic read access to cubes can be administered through the Altiris Console by utilizing the Security tab of the Cube Setup page.

For our standard configuration example, the following procedures grant access to cubes for authorized IT Analytics Users that do not already have administrative privileges on the Analysis Server instance hosting the IT Analytics cubes.

To grant access to cubes using the Altiris Console

  1. Navigate to the Configuration tab of the Altiris 6.0 Console.
  2. In the left pane, expand Configuration > Solution Settings > IT Analytics > Configuration and select Cube Setup.
  3. In the right pane, select the Security tab.
  4. If desired, add members to the default role named IT Analytics Users or create and manage new roles. See To add users to the default role in the next section.

To add users to the default role

  1. In the Role Members section, select the Add icon.
  2. A popup windows appears allowing you to select Users or Groups of users from the local machine or domain. Select the appropriate users and then click OK.
  3. After the screen refreshes, the selected users or groups are displayed in the role members section.

To modify role privileges

  1. In the Cube Read Access section of the Security tab, select or clear the check boxes as desired.
  2. When cube access is configured properly, select the Apply button.
Note: Selecting the box next to a cube grants members or the selected role access to that specific cube. A cleared box means that members of this role will not have access to the cubes. In addition, any pivot tables, dashboard, or reports that include this cube will have reduced data sets or return no results.

To create a role

  1. In the roles section of the Security tab, select the New button.
  2. Give the role an appropriate name.
  3. Add members to the new role as described above and select the appropriate check boxes to grant read access to the required cubes.
  4. Select the Apply button.

To delete a role

  1. In the roles section of the Security tab, select the role to be deleted from the dropdown menu.
  2. Wait for the screen to refresh, then select the Delete button.
  3. The screen will refresh and a message is displayed at the top of the page stating the the role was deleted successfully.
  4. Select Apply to save the changes.

To grant access to cubes using SQL Server Managemetn Studio

  1. Open SQL Server Management Studio and connect to Analysis Services using an account with administrative rights.
  2. Right click on the Roles folder within the IT Analytics database and select New Role.
  3. On the General page of the Create Role dialog, enter "IT Analytics Users" as the role name.
  4. Select the Read Definition database permission for the role.
  5. On the Cubes page, set the Access drop down to Read for each cube you want this role to have access to. If you install additional cubes in the future, the read privilege needs to be granted explicitly for those cubes after installation.
  6. On the Membership page, click the Add button to specify users and groups for this role.
  7. Click the Object Types button and select Groups to allow the security group to be added and click Ok.
  8. Click the Location button and change the location to the domain for which you created the security group "IT Analytics Users" and click Ok.
  9. In the field for objects to select, add the "IT Analytics Users" group and click Ok.

Members of this role now have appropriate rights to view the cubes permitted by this role. Note that configuration of Notification Server security may be required to see the IT Analytics tab and any installed cubes or reports (see Notification Server later in this section).

SQL Server 2005 Reporting Services

SQL Server 2005 Reporting Services is accessed during the configuration of the Reporting Services Folder and its contents, such as reports and data sources, as well as by end users accessing the reports through the IT Analytics tab in Notification Server or directly through the Reporting Services Report Manager Web site. During configuration of the Reporting Services Folder through the IT Analytics Solution configuration pages, the currently configured Application Identity of the Notification Server is used to access Reporting Services. In order for the Application Identity to configure objects in the designated Reporting Server, it must be granted the Content Manager privilege for that Reporting Server. By default, the local administrators group on the Reporting Server has Content Manager privileges, but if the Application Identity is not a part of this group, it can be granted the System Administrator privilege by navigating to the Permissions page of the Properties dialog for that Reporting Server within SQL Server Management Studio.

By default, only the users in the local administrators group have access to the reports on the SQL Reporting Service. In order to access these reports through either the IT Analytics tab in the Notification Server console or the SQL Reporting Server web console, the Browser role must be granted in SQL Server 2005 Reporting Server. This role can be applied at the top level folder, where it will be inherited by all child reports. Alternatively, security can be applied to reports individually if more granular control is required. In order for reports to return data, the account used must have at least Read access to the Analysis Server cubes accessed by the report.

For our standard configuration example, the following procedures grant access to reports for authorized IT Analytics Users that do not already have Browser privileges on the Report Server instance hosting the IT Analytics reports.

To grant access to reports for authorized IT Analytics Solution users

  1. Access the Report Manager Web site as a user with System Administrator privileges for that Reporting Services instance. The URL for the Report Manager will be similar to http://servername/Reports/. If you did not install SQL Server Reporting Services as the default "instance", the URL for the Report Manager may instead be similar to http://servername/Reports$InstanceName/.
  2. Navigate to the folder configured to host the IT Analytics reports. By default this folder is called "IT Analytics".
  3. Navigate to the Properties tab for the current folder.
  4. In the left pane, navigate to the Security page.
  5. Click New Role Assignment.
  6. In the Group or user name field, enter "IT Analytics Users".
  7. Select the Browser role and click Ok.

Members of this role now have appropriate rights to view the reports permitted by this role. Note that configuration of Notification Server security may be required to see the IT Analytics tab and any installed cubes or reports (see Notification Server section below).

Notification Server

End user access to IT Analytics Solution typically occurs through the IT Analytics tab within the Altiris Console. Users must have access to the IT Analytics tab through a Notification Security role in addition to access to data within the Analysis Services cubes and Reporting Services reports in order to obtain full functionality. For our standard security configuration scenario, we assume that the users in the security group "IT Analytics Users" already have, at minimum, access to the Altiris Guests Security role within Notification Server.

To grant access to the Dashboards, Pivot Tables, and Reports available within the IT Analytics tab

  1. In the Notification Server console, navigate to Configuration Tab > Configuration > Server Settings > Notification Server Settings > Security Roles.
  2. Choose the Security Role named "IT Analytics Users".
  3. Navigate to the Privileges tab for the IT Analytics Users role, and select View IT Analytics Tab in the Altiris Console Privileges section.
  4. Navigate to the Membership tab, and click Add new member(s).
  5. In the Name Query field, select Starts With and enter IT Analytics Users. Click the Find button to locate the group.
  6. Select the result returned for the IT Analytics Users group and click Ok.
  7. Click the Apply button for the Security Role to save the settings.
  8. Navigate to the IT Analytics tab within Notification Server, in the left pane right-click on the IT Analytics folder, and select Properties.
  9. Navigate to the Security tab on the Properties window, and in the Permissions section, click Add.
  10. Select the IT Analytics Users role and click Select.
  11. On the Permissions Selection Dialog, select the Read permission in the Altiris System Permissions section and click Select.
  12. Select the Replace permissions on all child objects option and click Apply.

Upon completion of the above configuration procedures, all users in the IT Analytics Users domain security group will have access to the IT Analytics tab within the Altiris Console, and full access to the installed IT Analytics cubes and reports.

Several Notification Server Role-based Privileges have been added to aid in securing the data available in IT Analytics. These privileges let administrators specify which Notification Server Roles can Author (Save) and Read (Load) pivot views.

The following privileges exist

  • Author Private Pivot Views - Lets users save configured pivot table or pivot chart views as private views.
  • Author Public Pivot Views - Lets users save configured pivot table or pivot chart views as public views.
  • Read Private Saved Pivot Views - Lets users open or load previously saved pivot table or pivot chart views marked as private.
  • Read Public Saved Pivot Views - Lets users open or load previously saved pivot table or pivot chart views marked as public.

To grant access to author and save views, load views, and create new reports

  1. Navigate to the Configuration tab of the Altiris 6.0 Console.
  2. In the left pane, expand Configuration > Server Settings > Notification Server Settings >Security Roles and select the role for which you would like to grant access.
  3. In the right pane, select the Privileges tab.
  4. Scroll down to the IT Analytics Privileges section and expand if necessary.
  5. Select the check boxes for the appropriate privileges you wish to grant this role.
  6. Select Apply.
Note: As with any Notification Server solution, additional, scope-based, security can be configured for each individual dashboard, report, or pivot table.

Role Based Cube Filtering

SQL Server 2005 Analysis Services has a wide range of advanced security opportunities available that can be explored through the SQL Server Management Studio. One feature is the ability to filter the data that a role has access to by restricting access to specific members of a dimension.

The following task demonstrates how to restrict access for the IT Analytics Users role to only return cube data for assets with a status of "In Stock". This example assumes you have the IT Analytics Asset Management Pack installed and have granted the IT Analytics Users role access to all available cubes in the Analysis Services Database.

  1. In SQL Server Management Studio, navigate to the Properties for the IT Analytics Users role in the IT Analytics Analysis Services Database.
  2. In the Edit Role dialog, navigate to the Dimension Data page.
  3. In the Dimension drop down, select the Asset Status dimension.
  4. Select the Deselect all members radio button.
  5. In the Attribute Hierarchy drop-down list, select Asset Status.
  6. Select the desired dimension members that the role should have access to. For this example we assume there is a member named "In Stock". Actual members will be specific to each Notification Server instance.
  7. Navigate to the Advanced tab of the Dimension Data page, and select Enable Visual Totals. This prevents the role from seeing aggregate totals independent of the configured filtering and restricts aggregations to only what the user has access to.
  8. Click Ok to save the role configuration.

After completion of these procedures, users in the configured role will only see results for assets that have an asset status of "In Stock" across all cubes. This filtering is enforced across all means of accessing the cubes, including Dashboards, Pivot Tables, Reports, and third-party applications.

Distributed Architecture Considerations

In most circumstances, we recommend that the SQL Server 2005 Analysis Services and SQL Server 2005 Reporting Services instances utilized for IT Analytics Solution reside on the same host computer. It is possible to host these services on different computers in a highly distributed environment, but additional configuration may be necessary to ensure authentication is managed appropriately across all application tiers.

The SQL Server 2005 Reporting Services data sources that are configured from the Connection Settings page are designed to use Windows integrated security by default, which allows for the granular control of which reports an end user has access to and enables the filtering of cube data available to a user as described in Advanced: Role Based Cube Filtering on page 31. In order for the delegation and impersonation features available with Windows integrated security to support connections across multiple servers, the network environment in which IT Analytics Solution is installed must be configured to use the Kerberos protocol. Without the use of Kerberos, Windows credentials are only passed across one computer connection before they expire.

In the scenario where the SQL Server 2005 Analysis Services and SQL Server 2005 Reporting Services are hosted on the same computer, the credentials of the end user accessing a report through the Altiris Console are only passed across one computer connection, from the end users computer to the computer that hosts both Analysis Services and Reporting Services. The impact is that the delegation of credentials will succeed without Kerberos enabled.

In the scenario where the SQL Server 2005 Analysis Services and SQL Server 2005 Reporting Services are hosted on different computers, one additional connection is required to pass the credentials of the end user from the Reporting Server to the Analysis Server. Without Kerberos enabled, the second connection from Reporting Services to Analysis Services would be attempted as an anonymous user, which fails authentication in a typical configuration.

In order to complete the two-step delegation process from the end user's computer to the Reporting Server, and then from the Reporting Server to the Analysis Services (if Reporting Services and Analysis Services are hosted on different computers), there are two options available:

  • Enable the Kerberos protocol to allow credential delegation over multiple connections. For information on enabling the Kerberos protocol, refer to the Microsoft Knowledge Base article titled "How to configure SQL Server 2005 Analysis Services to use Kerberos authentication" located at: http://support.microsoft.com/kb/917409.
  • Instead of using Windows integrated security, configure the Reporting Services data sources to use stored credentials or prompted credentials to access the Analysis Services cubes. In the event that stored credentials are used, all connections from Reporting Services to Analysis Services occur in a predefined user context, and Role based filtering will not function as described in the Role Based Cube Filtering section above.

IT Analytics Solution, Part 3: Working with Pivot Tables

0 votes