Deploying Planning Server securely

Updated: 2009-04-09

Use both Secure Sockets Layer (SSL) and Kerberos authentication for the most secure deployment of Microsoft Office PerformancePoint ServerĀ 2007.

PerformancePoint Planning Server security is divided between two areas, application and deployment. Application security enables authorized users to access applications and perform application tasks. Deployment security allows user and server authentication.

The person installing Planning Server and its prerequisites must be logged onto the Web server computer as a user with following access rights. The person selected to do the installation can be different than the user account used for the service identity (SI) account.

  • Administrators group: The person installing PerformancePoint Planning Server must be a member of the Administrators group on the Web server where Planning Server is being installed. The administrator user who installs Planning Server automatically becomes a Global Administrator of PerformancePoint Server.

    Note

    The PerformancePoint Server installer must be a member of the Administrators group or have the requisite permissions granted explicitly by an Administrator of the server computer. Without these permissions you cannot install PerformancePoint Server on a Windows server computer. PerformancePoint Server setup and configuration interacts with the registry, files within the system drive, the Program Files area, as well as with supported versions and editions of SQL Server. A regular user cannot make changes to any of these areas. The Administrator permission can be decreased or revoked from the PerformancePoint Server installer when the installation is complete.

  • Administrator rights for SQL Server: For the Planning Server installation, the person installing Planning Server must have local or domain Administrator rights for the SQL Server where the PerformancePoint Planning database is stored.

There are two important security accounts during the deployment planning.

  • Service Identity account: Planning Server Configuration Manager handles all configurations for the service identity (SI) account for Planning Server stand-alone installation. No further work for the application pool identity and SI account is required during the stand-alone installation. For distributed installation of Planning Server, there are manual steps for some servers. See Install Planning Server in a distributed environment for complete details.

  • Personal DBA account: The DBA account is the account which has the system administrator system role in SQL Server. Planning Server does NOT require a new DBA account to be created. However, you will need a DBA account to execute some SQL scripts when you create a new application and you choose "Manual Execute" mode to create the application.

Planning Server allows access to data through:

  • Internet Explorer for Planning Server configuration settings and administrative role membership, and for application and model site metadata.

  • Planning Business Modeler for business data and model site metadata, and for business role and administrative role membership.

  • PerformancePoint Add-in for Excel for business data.

  • PPSCmd.exe command-line tool.

For each of these, we recommend using the most secure authentication methods available. Authenticated user, IIS security, and file-level security are all recommended to prevent unwanted data access and potential loss.

All domain users can access Planning Administration Console. However, a user must be a member of one of the Planning Server administrative roles to actually connect to a Planning Server computer. Once a user is connected, the options in the left navigation pane of the Planning Administration Console are activated.

Download this book

This topic is included in the following downloadable book for easier reading and printing:

See the full list of available books at Downloadable content for PerformancePoint Monitoring Server.

See Also