I am trying to follow Microsoft suggestions for securing SQL Server 2000. I
have been able to comply with everything suggested for SQL and SQL Agent.

I cannot find anything about securing OLAP.

Specificially
1. should I run the MSSQLServerOLAPService with the LocalSystem account, or
2. should I set up a special account with limited permissions?

For reference, I tried setting up MSSQLServerOLAPService with a special NT
account that belongs to group Power Users. Unfortunately, I get an error
"Access is denied.".

Any pointers would be appreciated.

BTW, I am trying to secure Distributed Transaction Coordinator in the same
way (special NT account in Power Users), but I get an error message
"Could not initialize the MS DTC XA Transaction Manager. MS DTC is being
started but the XA Transaction Manager feature will be disabled."
Duh!

For reference, this is SQL Server 2000 running the latest service pack on
Windows 2000 running the latest service pack.

Thanks,

-G

Securing Analysis Services is a lesser issue than with SQL Server because of
the limited risk of anyone using Analysis Services as a backdoor into the OS
or network. But securing the data is of course important, so it's important
that you take the necessary precautions as you are doing, and always run the
latest AS service pack level.

I wouldn't care much about the AS service account. It's not active in the
same way as SQL Server so you can just run as LocalSystem as long as you're
not doing anything fancy like remote partitions and stuff. If you do run it
under a domain account it needs the same permissions as the Olap
Administrators group. Be aware of domain controllors as they have tighter
security policies.

About the MSDTC error : XATM is a component in MSDTC that handles
transaction managing and monitoring for XA compliant resources like Oracle
and DB2. An error like yours probably means you have set permissions too
tight.

Jon Jahren


"Gerard Marshall Vignes" <gerardmarshallvignes (AT) hotmail (DOT) com> wrote

Just as a data point for the future, you cannot use LocalSystem if your data
source is located on a different machine.
The one permission that LocalSystem does *NOT* have is network access.
Therefore if the datasource for your cubes and dimensions, you need to run
under a domain service account which has access to the data on the remote
system. Just FYI.
--
Dave Wickert [MSFT]
dwickert (AT) online (DOT) microsoft.com
Program Manager
BI Practices Team
SQL BI Product Unit (Analysis Services)
--
This posting is provided "AS IS" with no warranties, and confers no rights.

"Gerard Marshall Vignes" <gerardmarshallvignes (AT) hotmail (DOT) com> wrote