I am new to SSAS technologies for developing analytical models. I have to build several tabular models for a huge application in which security is quite relevant. What I would like to do is to re-use the row level security existing in the sources of the cube and apply it to the cube itself.
For example, if I build a tabular model from two tables of a schema, and these two table have RLS enabled, I would like the cube to take this security into account, so that when I access reports and log in as user, I will only see aggregated data according to the permissions I have.
Searching through the web I found ways of implementing RLS within the cube, but none about inheriting it from the sources. But again, I am new to the technology, so I preferred to ask here.
Thanks
The most obvious solution to your request is running SSAS Tabular in thin mode (called DirectQuery mode). As long as in the Existing Connections dialog in Visual Studio you set ImpersonateCurrentUser, when a user queries the SSAS model, SSAS will in turn send one or more SQL queries to the database under the end user's credentials. RLS in the SQL database will come into play here.
One caveat is that I would only recommend DirectQuery in SSAS 2016 not prior. Another caveat is that performance will be slow compared to a cached model in SSAS. So if performance isn't acceptable then turn off DirectQuery and reimplement RLS inside SSAS. Also DirectQuery uses zero caching of results currently so the load against SQL will not be offloaded to SSAS at all. Finally, if you use DirectQuery and ImpersonateCurrentUser you may have to setup Kerberos if your SQL server isn't on the same server as SSAS so that user credentials can double hop.
Related
I want to define all the acces rights in my SQL Server database so it is nice and centralized. I am implementing basic stuff like grant select on schemas and tables, encryption of columns and RLS.
On top of the database I build a Tabular model with SSAS with DirectQuery connection.
On top of the Tabular model I want to build a report with DirectQuery connection.
directQuery states:
Security can be enforced by the back-end source database by using row-level security features from the database.
Impersonation in Analysis Service Tabular states:
Impersonate Current User Specifies data should be accessed from the datasource using the identity of the user who sent the request. This setting applies only to DirectQuery mode.
Issue:
I cannot choose "use current user" as impersonation mode in my ssas tabular model. -> "ssas the datasource contains an impersonationmode that is not supported for processing operations"
changing the impersonation mode in ssms yields this error, VS2019 looks similar with the same content
I can deploy it as a specific user but that means that everybody uses the access rights of that specified user.
My tabular model uses compatibility level 1400. It is deployed to a Microsoft Analysis Server 15.0.32.50, Tabular Mode. (The model cannot use DirectQuery when in compatibility 1500 for some arcane reason. Please don't make this your topic unless you absolutely have to.)
SQL Server Version is 2019, 15.0.2000.5
The on-premise Report Server must be used.
SSAS, database and report server run on the same SQL Server.
Is it possible to implement this solution using database, ssas and report server on the same machine? If so, how?
Alrighty, so after messing around with this stuff for wayyy too long, I narrowed it down to the SQL-Server setup. Something there in the configuration is causing a bunch of issues.
Using direct query to pass down user information in the way described above is perfectly valid.
I have a problem with an application which encompasses an SSAS project, with an OLAP cube, and a client project using ASP.NET Core and Blazor WebAssembly, and a SSRS project.
The ASP.NET Core app retrieves reports from the SSRS server, but the report parameters are written in C# and Blazor; and the problem I have is about how to get available values for these parameters.
For example, if a filter is about anesthesists, I want to display in a combobox all the anesthesists names, but from where do I get this information?
I have 2 choices: either from the OLAP cube, using the AdoMdClientNetCore Visual Studio extension, or from the source database in SQL Server.
I would like to know if there are some good practices concerning this subject; I googled here and there but without relevant results.
I would recommend to get data from SSAS. Reasons for this:
Working structure of your project - Client project <-> SSRS <-> SSAS <-> Some DB. And Some DB datasource is beyong the scope of the project. SSAS acts as a single point of contact with Some DB, if the Client App will access the DB - it will create another contact point to the DB. This extra contact point has to be configured, maintained etc.
SSAS updates its data, reading from its data sources, in timely batch manner during so called "Processing" jobs, unless you use special ROLAP mode. This means some delay in information passing from DB to SSAS. Report gets data from SSAS, so, reading directly from DB could bring in inconsistency some rare cases.
Separation of concern. SSAS accesses DB with some queries. If the Client App accesses the DB as well, modifications made to SSAS have to be transferred to the Client App, complicating development and support of the solution.
I have a question regarding the ssas-models tabular and multidimensional cube.
I've read that both models can work in a real-time-mode (direct query mode & rolap).
My questions concerns the tabular model in in-memory-cache-mode and the multidimensional model in molap-mode. How recent is the data there? Can I define myself how often the data gets refreshed or how is this managed?
thank you in advance!
first, in regards to real-time mode, ROLAP is indeed as real-time as the data source it is utilizing. Therefore, if it is accessing a data warehouse that performs daily ETL, it is only as up to date as the warehouse. SSAS Tabular direct query mode is only applicable with a SQL Server data source (currently).
The main purpose of ROLAP or direct query mode is to yes, allow for real-time (if that is a reporting requirement) but mainly to put the processing requirements on the data source server rather than the Analysis Services server.
Second, in regards to Tabular in-memory and MOLAP multidimensional modes, yes, you define the frequency via a scheduled SSIS package or XMLA script.
I was trying my hands on building Cubes using AdventureWorksOlap database. I successfully build what I was trying to do. Now my concern is that I want to deploy the cube to a server so that rest of the team members can use this cube as a datasource while generating their SSRS reports (might be some other tools).
I have heard that SSAS does not allows Sql Authentication. So,
1) how will the members access the cube?
2) What authentication changes do I need to incorporate?
3) How can the other developer using his computer's SSMS access the cube and make changes to it (just like we can do it in the OLTP database)?
4) I need to prepare a dashboard using this cube. Any suggestions on this one.
Thanks in advance.
1) Windows Authentication
2) none.
3) Once the cube is deployed you cant change it. Actually you can change some things like partitions and roles, but you cant add a dimension for example. You need to change the project on BIDS and redeploy it
I would recommend starting with Excel Pivot Tables to learn what type of dashboard you will want to create. By working with the end-users, you can understand what information they want/need to see.
Regarding security, as mentioned, by design cubes use Windows auth only. Here's a blog that talks about circumventing standard security.
Also, I have posted a series of videos on how to create OLAP cubes SSAS in SQL Server 2008 using BIDS. You may find this series helpful.
I'm trying to configure storage mode ROLAP for a partition in an existing SSAS cube. The cube is a little messy in that the measure group is defined by a named query (as opposed to a table) and the dimensions are defined in several different data source views (DSV).
This is the error message I get when querying the cube with mdx:
Executing the query ...
Server: The operation has been cancelled.
Errors in the high-level relational engine. The 'dbo_dim_account' table that is required for a join cannot be reached based on the relationships in the data source view.
Execution complete
Note that MOLAP storage mode with proactive caching works fine. This problem occurs only when storage mode is ROLAP or HOLAP.
Also, I have tried to add the tables of all dimensions to the DSV of the cube in question but that doesn't seem to help.
Any ideas?
Not an expert here, but you could try importing the AS DB in Visual Studio.NET - "Import Analysis Services database" in the New Project... dialog.
Once in there, you can see the table schemas for the Data Source View (which is where the relational tables are defined that the cubes are extracted from). Next, look to make sure the "dbo_dim_account" table is there and that your fact table is related to it.
It may be that a dimension and fact have to be in the same DSV for the relation to work?
Also, maybe the SSAS flight recorder or Application log would have more issues?