locked
Question on SSAS 2005 Custom Authentication RRS feed

  • Question

  • Custom Authentication to SSAS?

    I am working on a web application, which uses SSAS 2005 for reporting capabilities. more than hundread users are using this application and It is working fine.

    Now I need to make my cube available for other OLAP Clients (Like Excel 2003,XLCUBED, Mosha Studio) as well. In other words, I need make my cube available over HTTP  and allow users to query the data based on the user who logs In (Dimension security needs to be applied as well).

    I can't enable windows or basic authentication. Because, I can't create hundreads of windows users in order to get them authenticated and apply dimension security.

    So my question is, Has anyone worked on these type of environment ? Has anyone worked on Custom authentication?

    Thanks,
    Ashok
    Friday, July 17, 2009 4:24 AM

Answers

  • Sorry, but I do not think this is possible. SSAS provides no hooks for implementing custom authentication and security roles must be mapped back to windows accounts.

    You can "kind of" do custom authorization if you are in full control of the connection string, but if you want to use clients like Excel or XLCubed, etc over HTTP, the only way to secure this is with windows or Basic Authentication. If you have hundreds of users you would have to their credentials in a database or something like that. I think you may have to look into automating the creation of windows accounts of some sort off that table.
    http://geekswithblogs.net/darrengosbell - please mark correct answers
    Friday, July 17, 2009 6:12 AM
  • Hi Ashok,

    Would u please share more details on custom authentication by implementing .Net http handlers.

    thanks

     


    Andrew
    BI, Data Mining, Analytical CRM
    Friday, September 16, 2011 1:55 PM

All replies

  • Sorry, but I do not think this is possible. SSAS provides no hooks for implementing custom authentication and security roles must be mapped back to windows accounts.

    You can "kind of" do custom authorization if you are in full control of the connection string, but if you want to use clients like Excel or XLCubed, etc over HTTP, the only way to secure this is with windows or Basic Authentication. If you have hundreds of users you would have to their credentials in a database or something like that. I think you may have to look into automating the creation of windows accounts of some sort off that table.
    http://geekswithblogs.net/darrengosbell - please mark correct answers
    Friday, July 17, 2009 6:12 AM
  • Darren,

    Thanks for taking your time to post on this.

    I've got to deliver a project for my client for SaaS (Software As A Service) offering and number of users may be in thousands. So even If I create windows users dynamically , Would that not be risky to expose windows users to end users? Are there any way to restrict them to not to gain control on the server and to be confident on server security?

    I would appreciare your inputs on this.

    As a separate Item- In Excel 2007, we were able to manage the custom authentication by implementing .NET HTTP handlers.  This was possible as Excel 2007 allows good way of programming. In this approach, our custom login page, developed in Excel 2007 takes the user name and pass word(not windows user info) and calls the .ashx file. This file authenticates the user by querying again User Master table (Relational) and then assigns the correct OLAP role to OLAP connecting string. This approach has been working fine and we are able to manage with single windows user. Our dynamic security works on "CustomData" property so windows user name is not required for us other than pumpdll authentication.

     But I am not able to make the same approach work as a generic because I need to have a way to take their user name and password in Excel 2003 or XLCUBED.

    Please advise me on this.

    Thanks,
    Ashok

    Friday, July 17, 2009 12:19 PM
  • Hi Ashok,

    Would u please share more details on custom authentication by implementing .Net http handlers.

    thanks

     


    Andrew
    BI, Data Mining, Analytical CRM
    Friday, September 16, 2011 1:55 PM
  • Hi Ashok,

    Even if you create Windows users, you do not need to give them a lot of permissions outside of Analysis Services. I think you could restrict them e. g. from remotely logging in to the server, accessing any directory, etc., which would restrict the potential of what they can do with the Windows account.

    Frank

    Tuesday, February 21, 2017 6:57 PM