We have a SQL Server 2000 Analysis database (SP3), where
we need to restrict access to parts of the data to some
users.
All users will be accessing the cubes from the Internet
and I was thinking of using the OWC.

The question is how do we associate an internet user to a
cube role?

From the MSDN article at
http://msdn.microsoft.com/library/default.asp?
url=/library/en-us/dnsql2k/html/sql_datapump.asp , it
looks like we need to use "Basic authentication" and
provide userID and password in the connection string
included in the OWC. We would run IIS on the same server
as Analysis Services.

How can we make the OWC connection dynamic, so that each
internet user could have his own userid and password
included in the connection string, and thus be uniquely
identified by Analysis Services?

Any other suggestions?

Hi James,

Have you checked the following article?
279489 INF: How to Connect to Analysis Server 2000 By Using HTTP Connection
http://support.microsoft.com/?id=279489

324961 Support WebCast: Microsoft SQL Server 2000 Analysis Services: How to
http://support.microsoft.com/?id=324961

I think if you need to assign every Internet user with different user name
and password, you would need a lot of efforts (e.g. creating a Windows
account for every Internet user).


Bill Cheng
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.
--------------------

I have now read both articles you referred me to. It looks
like I should be using basic (or digest) security.

I have 2 problems with that:
1) "If you don't want to hard code the user ID and
password on the connection string, you can simply leave
them blank and the client will receive a pop-up prompting
them to enter the user name and password". I have done
that, even included the PROMPT=1 in the connection string
and I'm not getting any prompts (using OWC 10). Is there
something else I should be aware of? My connection string
in the OWC component:
<x:ConnectionString>Provider=MSOLAP.2;Dat a
Source=http://MyServer;PROMPT=1;Initial
Catalog=MyCatalog;Client Cache Size=25;Auto Synch
Period=10000</x:ConnectionString>

2) The article says "This user name and password will be
validated against the local security database on the IIS
server". This looks to me like IIS won't be telling
Analysis Services who the user is. IIS will just check
that the user is allowed on this server, right?
This would mean that I still cannot link an internet user
to an Analysis role.

Just to clarify, won't be "creating a Windows account for
every Internet user", just an account for each VALID
internet user.

To sum it up, all I want to do is use Analysis role-based
security as some users aren't supposed to see all the cube
data. And some of those users will be accessing the data
from the Internet using OWC 10 or 11.