Analysis Services 2005 in SQL Server has improved security

Before now, you could define MSAS roles at the database or cube level; however, there was no concept of Analysis Services logins, nor could you use SQL Server logins -- MSAS role members must be Windows accounts or groups. Although the Analysis Services security model hasn't changed, Microsoft has resolved some critical security limitations with its latest version, MSAS 2005. In this tip I sum up the security weaknesses in MSAS 2000 and the upgrades in MSAS 2005.

MSAS 2000 security challenges

One common complaint with MSAS 2000 is limited flexibility for defining administrative roles. Once you install the software, a Windows group called OLAP Administrators is added to the server and members of this group can perform any operation against the analysis server. There is no way to create a role that can only process cubes or create objects in a given cube. Therefore, you must grant unlimited MSAS permissions to the administrative users.

Unlike the administrative permissions, Analysis Services 2000 allows a lot of flexibility when it comes to restricting user access to certain dimensions or specific members within each dimension. You can create roles that have read-only or read-write permissions. You can also secure each level within a dimension and even pick individual cells within a cube that the user is permitted to see. However, this flexibility comes with a caveat.

Smaller-scale MSAS installations have a handful of users or groups. You could have a group that reads each cube and perhaps several groups of privileged users who can read sensitive data from certain dimensions. But what if you're building an analytical application for a large financial institution with thousands of customers? Each customer needs access only to her own accounts and shouldn't be able to view the accounts of any other customers. Implementing such MSAS 2000 applications with a large number of roles is a considerable challenge.

When you start MSAS 2000 service, it attempts to load so called replica dimensions into memory. Replica dimensions contain a subset of dimension members that a particular cube role is permitted to see. Since each role will have at least one replica dimension, as the number of roles grows, so will the memory requirement and the time it takes to start the service. This limitation becomes increasingly severe with large dimensions that have many thousands or millions of members. The fact that you can only dedicate up to 3 GB of memory to 32-bit Analysis Services exacerbates the problem. (Normally, MSAS can only use 2 GB of memory, but you can add a switch to the boot.ini file and a Registry entry to advise MSAS to use up to 3 GB of RAM). I've seen implementations where Analysis Services simply cannot start because it lacks enough memory to load all dimensions.

Improvements with MSAS 2005

Fortunately, MSAS 2005 makes administrative permissions more granular. First, MSAS 2005 supports multiple instances of the software on a single server and each instance can have a separate administrator. The new version introduces the concept of a fixed server role, which is analogous to SQL Server's SYSADMIN server role. The fixed server role members can modify server configuration settings (the number of configuration settings increased from about a dozen in MSAS 2000 to almost 200 in MSAS 2005), manage cube data access permissions, run Profiler traces against the server and create databases. Cube structures will no longer be modified directly on the analysis server -- instead you must use Business Intelligence Development Studio (BIDS).

In addition to adding Windows users to the fixed server role, you can grant the following administrative permissions at the individual database level:

• Full control -- Members of this role can perform any operation within the current database but cannot change any server-wide configuration settings.
• Process database -- Members of this role can process the current database and any underlying objects.
• Read definition -- Members of this role can read database object definitions (metadata) but cannot change them.

You can grant each Analysis Services database user permission to process the cube or individual dimensions. In addition to granting permission to view individual dimensions, members can also grant permission to view certain attribute hierarchies and not others.

You'll be glad to learn that MSAS 2005 no longer attempts to load replica dimensions into memory at startup. In fact, with this version there is no concept of replica dimensions at all -- security is implemented using bitmap indexes created on secured attributes. The memory footprint of bitmap indexes will be minimal; furthermore, the security bitmap can be read from memory or disk. With this architecture you can safely create thousands of roles without the fear that MSAS will encounter any memory issues.

Both MSAS 2000 and MSAS 2005 support 64-bit editions, which are not limited to 3 GB of memory. If you run a 64-bit implementation, the amount of memory you can dedicate to Analysis Services is likely to be limited by the amount of total memory available on your server. The upper limit of memory you could dedicate to MSAS is 64 GB if you're using the Enterprise Edition and 512 GB with the Datacenter Edition of Windows Server 2003; it should come as no surprise that such servers are quite expensive. In addition to the large amount of available memory that 64-bit implementations will enjoy, they will also have very large dimension support with Multidimensional OLAP (MOLAP). Other benefits include more parallelism in processing leading to faster cube processing times, better query response times and more.

About the author: Baya Pavliashvili is a DBA manager overseeing database operations that support more than one million users. Pavliashvili's primary areas of expertise are performance tuning, replication and data warehousing.

More on SearchSQLServer.com

Fast Guide: SQL Server Reporting Services

Rate this Tip To rate tips, you must be a member of SearchSQLServer.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT SQL Server security Implementing security audit in SQL Server 2008 Tutorial: Learn SQL Server basics from A-Z New security features in SQL Server 2008 leave some work for you Can I encrypt and restore a database backup in SQL Server 2005? FAQ: How to troubleshoot and grant SQL Server permissions Secure SQL Server from SQL injection attacks How insiders hack SQL databases with free tools and a little luck Sarbanes-Oxley compliance checklist: IT security and SQL audits SQL Server source code analysis and management adds database security Ten common SQL Server security vulnerabilities you may be overlooking SQL Server data warehousing/business intelligence FAQ: Troubleshooting SQL Server Reporting Services What's new in SQL Server 2008 Reporting Services? SQL Server 2008 Integration Services delivers new features Tips for tuning SQL Server 2005 to improve reporting performance Parent-child dimensions in SQL Server 2005 with Analysis Services MDX Troubleshoot Web service issues in SQL Server 2005 Reporting Services Ordering the results of a SQL query SSIS error message due to installation problem on SQL Server 2005 Configuring SQL Server with a changed computer name Using MDX and UDM in a SQL Server Analysis Services environment SQL Server upgrade and migration SQL Server consolidation: Why it's an optimization technique Should you upgrade to SQL Server 2005 or SQL Server 2008? Monitor database mirroring and replication after a SQL Server upgrade Upgrade live applications to SQL Server 2005 for high availability SQL Server high availability when upgrading to SQL Server 2005 How to restore SQL Server database to transition server during upgrade Upgrade Active/Active cluster to SQL Server 2005 and Windows 2003 FAQ: SQL Server databases how-to Upgrading to SQL Server 2008 advantages and hardware requirements Create an upgrade plan for your move to SQL Server 2005 RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary data corruption  (SearchSQLServer.com) data hiding  (SearchSQLServer.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.