Hi,

I'm working on microsoft scorecard accelerator and I'm facing to a problem
of applying roles.

As far as I unserstand, roles under MSAS are applied regarding to user.

I defined a role wich displays few members of product into foodmart sample
and plug a KPI onto that measure. I link a web part with my (simple)
scorecard + a dimension slicer (linked together). Without anything, I see
all my product hierarchy into the slicer.

When I'm connecting with the restricted account, I'm still seeing the whole
hierarchy instead of seeing a part of the tree as expected.I switched
connectionPeruser=true but it doesn't change anything. More ever I added a
role into the connstring but, the problem is that this role is applied to
everyone.

How can I have dynamic roles into MS Scorecard accelerator ? Do you have any
suggestion ?

Thk's in adance for your help.

Rgds,



Renaud Harduin

Paris

This thread discussed the same issue - based on the Scorecards
Administrative Guide, it looks like you need Kerberos for a multi-server
configuration:

http://groups-beta.google.com/group/...rver.olap/msg/
e2c224551a39c084
From: Deepak Puri <deepak_p... (AT) progressive (DOT) com>
Date: Wed, 14 Jul 2004 08:39:59 -0700

Subject: Re: Scorecard Accelerator & user context

There is supposedly a newsgroup for the Scorecards as well, which is
mentioned in the FAQ. This section (p.31) from the Admin Guide suggests
that Kerberos is at least possible:

Per-User Security

By default, Business Scorecards uses the IIS application pool account to
securely access the data sources. However, if all of your scorecards
components are on a single computer, you can add the following key to
the web.config file to use per-user security. In a per-user
configuration, a designated data accesss account is not used to proxy
client requests. Instead, the individual credentials of each user’s
account is used to determine access permissions in SQL Server and
Analysis Services.

The advantage of per-user security is that you can customize security
levels to suit your administrative personnel. Every user can have an
individual security setting tailored for their access needs. However,
depending on the number of scorecard users you have, a per-user
configuration may result in slower performance, because a separate
security cache must be maintained and looked up for each scorecard user.

To activate per-user security, in the web.config file that corresponds
to your Business Scorecards SharePoint Web site, type the following:
• <add key=”Scorecard.ConnectionPerUs*er” value=”True”/>

Note that per-user security is recommended only for single-server
deployments. Per-user security across multiple computers requires
Kerberos. Upon installation, SharePoint extends your IIS virtual server,
resulting in a switch from Kerberos authentication to Integrated Windows
authentication. Integrated Windows authentication doesn’t allow
delegation between computers. Therefore you need to use SharePoint with
Kerberos. For information on using SharePoint with Kerberos, see the
knowledge base article 832769 “How to: Configure Windows SharePoint
Services to Use Kerberos Authentication” at

http://support.microsoft.com/?*id=832769.


- Deepak

Deepak Puri
Microsoft MVP - SQL Server

*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!

Hi Deepak,

In fact I tested MS Scorecard on a distributed architecture and I got a
login "null" error. That's why I decided to try it locally on a VPC
expecting that the credential is valid.
Activating connectionPerUser="true" works (instead of having a null error in
a distrubuted mode), but the Cube Roles are not applied like if there
ignored.

Do you have another idea.

Rgds,

Reno


"Deepak Puri" <deepak_puri (AT) progressive (DOT) com> a écrit dans le message de news:
eYcaDNoMFHA.3380 (AT) TK2MSFTNGP15 (DOT) phx.gbl...

Hi Reno,

Only thing I can think of is to confirm that the restricted user account
you are using to test is not a member of OLAP Admin. You could set up
user audit on the OLAP server, to confirm which account is used by the
scorecard:

http://www.microsoft.com/technet/pro...ntain/anservog.
mspx#EUAA
...
Besides monitoring query activity, you might want to determine when
users connect and disconnect from your server. To log connect and
disconnect events in the Windows application log, edit the AuditEvents
key in the registry (\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLAP
Server\CurrentVersion) and change the default value from 0xd (13) to 0xf
(15).
...

- Deepak

Deepak Puri
Microsoft MVP - SQL Server

*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!

I'll Try and tell you and the group,
thk's for your suggestion,

rgds,

Reno


"Deepak Puri" <deepak_puri (AT) progressive (DOT) com> a écrit dans le message de news:
Ou4R2YCNFHA.3960 (AT) TK2MSFTNGP12 (DOT) phx.gbl...

Hi Deepak,

I activated the event viewer and I saw that it is my final user who is
connected but the roles are not honored.
In order to activate roles, is there any particular manipulation to do ?
Into the scorecard docs, it is said that by default the all user role is
apply to any connection.

Enforce roles into the config of scorecard doesn't let me to specify
cumulative and multiple roles for example :
role1,Role0 => only role1 is applied even the user enters into the case of
Role0

Did you have any exeprience of that ?

rgds,

Reno


"Deepak Puri" <deepak_puri (AT) progressive (DOT) com> a écrit dans le message de news:
Ou4R2YCNFHA.3960 (AT) TK2MSFTNGP12 (DOT) phx.gbl...

Hi Reno,

Are you referring to the OLAP roles that have been configured on the
Analysis Server - these can be specified in the OLAP connection string,
but the connecting user ID must be a member of the requested role(s).
So, when you say that the role is not honored, can you describe what is
happening, in terms of OLAP data access?


- Deepak

Deepak Puri
Microsoft MVP - SQL Server

*** Sent via Developersdex http://www.developersdex.com ***

Hi Deepak,

I'm refering to roles.
I define a role (role1) seeing only food into product hierachy and declare
the user "SERVER NAME\reno" as a member of that role (Reno is not admin)
When I connect using that user, unfortunaltetly, I see everything.

then I define a role2 wich see everything.

I saw that I can enforce roles into the conection, separating them by a
comma, but if I put :
role1,role2 the role1 is applied to everyone (the member of role1 and role2
!)
role2,role1 the role2 is applied to everyone (the member of role1 and role2
!)

Everything is like roles are not dynamicly applied.

rgds,

Reno





"Deepak Puri" <deepak_puri (AT) progressive (DOT) com> a écrit dans le message de news:
entVuQnNFHA.1948 (AT) TK2MSFTNGP14 (DOT) phx.gbl...