• Article

Securing Access Through Analysis Services

In addition to securing the computer that is running Microsoft SQL Server Analysis Services and Microsoft Windows, you also have to secure Analysis Services itself. Analysis Services only permits connections by users who have been previously authenticated by Windows, unless anonymous connections have been enabled, and who have specifically been granted permissions within the instance of Analysis Services; users without permissions cannot establish a connection.

Important

Analysis Services does not perform its own authentication of users. Analysis Services relies on Windows to authenticate all users before authorizing access to Analysis Services data or letting users perform administrative tasks.

By default, the only users who have permissions within Analysis Services are those users who are members of the Server role. Members of the Server role have server-wide privileges and can perform any task within the instance of Analysis Services, including adding other users and groups to the Server role. By default, members of the Administrators local group, including the Administrator local user and all Domain Administrators, are members of the Server role, and as such have Full Control permissions within each instance of Analysis Services.

Note

While members of the Administrators local group are members of the Server role, their membership in the Server role is not visible in the user interface.

Securing Access by Users Outside of the Server Role

By default, any user who is not a member of the Server role does not have any permissions within Analysis Services. To obtain permissions, a member of the Server role must first create a user-defined database role and then grant permissions to that role:

  • A user-defined database role can be granted limited or full administrative permissions within a database.

  • A user-defined database role can also be granted limited or full permissions to access the data itself.

After creating the user-defined database role and granting permissions, a member of the Server role must then add the appropriate Windows users and groups. Only after a user has been added to the user-defined database role does that user gain permissions within Analysis Services.