Forbid domain administrator access into SSAS RRS feed

  • Question

  • Hello all,

    First of all, I hope I'm in the right forum, since I wasn't sure if SQL Server Security forum was more suitable.

    My SQL Server server is in a domain and I want to assure that the only user with access to SSAS is my "BIUSER". To do this, the domain administrator must not have access to SSAS. My "BIUSER" is also a domain user in the administrators group.

    I've done this in the SQL Server Database Engine by setting SQL to allow both SQL authentication and windows authentication. And then I only set read /write permissions to "BIUSER". This way, Domain\administrator can't access the Engine. Now I want to do this with Analysis Services.

    As it is written in http://technet.microsoft.com/en-us/library/cc304417.aspx:

    "When it comes to setting up SSAS security for management activities, there are two primary security roles:

    • The server role, which provides access to complete SSAS server functions
    • Database roles, which define database-level administration tasks and end-user data access"

    and further down in the same page it is written:

    "Users who are members of the local administrators group on the same server as the SSAS instance are included in the server role automatically even though the local administrator group does not appear on the server role list."

    So, what I need is to remove the "server role" from the domain administrator.

    Is this possible to do?

    Thanks in advance.



    Tuesday, May 22, 2012 3:30 PM


All replies

  • By default, local administrators on the server are also SSAS admins. To change the default behaviour, you'll have to change the Security \ BuiltinAdminsAreServerAdmins property to false through the SSAS properties window. See link on how to configure SSAS security settings.


    HTH, Martin


    • Proposed as answer by Lola Wang Wednesday, May 23, 2012 3:04 AM
    • Marked as answer by achor Friday, May 25, 2012 8:07 AM
    Tuesday, May 22, 2012 4:50 PM
  • Hello Martin,

    Thank you for your reply. Ok, I found that setting, but before I change it to false, first I have to set the users I want to have access to SSAS.

    Once I have this scenario on, I'll provide you feedback.

    I'm removing this permission to every administrator,  but as I am adding users to manage my AS, there is no risk of loosing access to AS. Even if I remove all users, I will always have permission to manage my roles in Visual BI Development Studio.

    Is this correct? (it is just to be sure).

    Again, thank you for pointing me in the correct direction.

    Wednesday, May 23, 2012 8:42 AM