Microsoft Office Tutorials and References
In Depth Information
Securing PerformancePoint Solutions
Much of the security for a PerformancePoint solution is handled by the SharePoint Foundation component.
The dashboards exposed by PerformancePoint Services are stored as ASPX pages in a folder within a SharePoint
document library. The permissions associated with the libraries, folders, and dashboard pages will control who
is allowed to access which pages.
However, the page itself is not usually what is most important. It is the data that we want to protect. Security can
become problematic when we have to access data sources outside of SharePoint. PerformancePoint Services provides
three authentication methods for accessing back-end data sources: per-user identity, an unattended service account
(USA), and a custom connection string for SQL Server Analysis Services.
Per-user identity allows a PPS dashboard to impersonate the user’s credentials when accessing back-end data.
This is a very secure way to access data because it provides a second check before allowing the user to access not
just the dashboard, but the data underlying the dashboard. However, this form of authentication requires Kerberos
delegation to be in place between the PerformancePoint server and the data source, so it’s not always possible
to use this type of authentication. See “Planning Considerations for Services that Access External Data Sources”
The most commonly used form of authentication with PerformancePoint Services is the unattended service
account. This is an account that is configured in the Secure Store Service and used to access a back-end data source.
The data source will see only the service account’s credentials, so it will not be able to filter the data it returns based
on the identity of the user accessing the dashboard. The service account must be given access to all necessary data
within all data sources in order for PerformancePoint to function properly. It is a best practice to use a service account
with the least permissions that will allow it to access the needed data.
The last option, called “Custom Data,” uses the unattended account but also includes the user’s login name on
the connection string. This option works only with SQL Server Analysis Services 2006 or later. In SSAS, this is known as
“Dynamic Security.” The idea is to allow the SSAS server to filter the query results when full Kerberos delegation is not
possible. The user’s login can be used in MDX queries and SSAS role assignments to limit the data returned by the cube.
The most important thing to note when choosing among these authentication options is that the choice can now
be made for each data source that is configured. In PerformancePoint Server 2007, it was necessary to configure a
single authentication mode for the entire server application. It was not possible to configure one data source using
per-user identity and another to use an unattended service account. In SharePoint 2013 and 2010, if multiple types
of authentication are required, you don’t need to configure multiple PerformancePoint service application instances.
Creating separate data sources is sufficient. However, the unattended account is configured for a PPS application
instance so that all data sources running against the USA in that instance will use the same account. See “Setting Up
PerformancePoint Services” and “Creating a Data Source” later in this chapter for details.
Business Intelligence Solution Components
A PerformancePoint solution is built by creating a set of business intelligence components that work together
to control how business data is aggregated and displayed. This section will introduce the concepts behind these
components and how they are deployed to a PerformancePoint service environment. For a step-by-step guide to
creating a real-world PPS solution, see “Authoring and Publishing PerformancePoint Solutions” later in this chapter.
BI Component Types
The components that go into a PerformancePoint solution are described at a conceptual level in this section.
Later, we’ll describe how these components are represented and stored in SharePoint.
A dashboard is a set of web pages displayed by SharePoint to allow the user to view and analyze data. Figure 6-2
shows a sample dashboard.
Search JabSto ::