Monitoring Server application pool accounts
Updated: 2009-04-30
The Monitoring Server application process runs as an account that is specified by the application pool identity configuration.
In addition to the built-in Local System, Local Service, and Network Service accounts, a local or network account can be specified. This account requires access to the application database and to any required data sources. If the server is configured for "connect per-user authentication," meaning that the credentials of the individual end user are used for authentication, then the application pool account only needs access to the application database. However, all users must be given access permission to any data sources.
Whenever possible, Monitoring Server should be run with a domain account that has low privileges. The identity should not have access to any resources other than those required by the application.
The Monitoring Server application pool identity runs under the account specified by the Monitoring Server Configuration Manager. The application pool identity that the SharePoint site runs under should be set up with the same account. However, the Monitoring Server Configuration Manager does not change whatever the current setting is, and it is up to the user to change this setting manually. We recommend using a domain account as the application pool identity. The domain account should only be assigned to the IIS_WPG group on the computer that Monitoring Server is installed on.
Monitoring Server Configuration Manager supports specifying a domain account, which is the recommended deployment. Monitoring Server Configuration Manager also supports specifying a built-in account. Monitoring Server Configuration Manager automatically assigns the selected account access to the metadata stored in the application database. By default, this account needs to be manually assigned permissions to each of the data sources that you plan to use.
Data-source authentication
Monitoring Server data sources will often require Monitoring Server to authenticate in order to access the data. By default, Monitoring Server always uses the application pool identity for connecting to any data source. The only exception is data sources that allow administrators to specify a connection string that contains access credentials. In Dashboard Designer, the wizard for creating a SQL Server 2005 Analysis Services data source allows you to specify a set of roles on which to secure the connection to Analysis Services.
Authenticating to data sources as a single user may not provide enough control over access to an organization's business data. Two options are available in Monitoring Server to allow for better access control.
The first option is to use the CustomData field on an Analysis Services connection string. Monitoring Server is able to specify the domain name and user name of the account that is authenticating to the server as the CustomData of the connection string. Then Analysis Services can be configured to restrict access based on the string that contains the user name provided by Monitoring Server.
The second option is to enable Monitoring Server support of Kerberos delegation by enabling the Bpm.ServerConnectionPerUser property in the Web.config file. Delegation provides an impersonation token from the currently authenticated user to any registered data source. With Kerberos delegation, each of your users needs access to the data source. This per-user data source access must be registered with both Monitoring Server and the service that users will be connecting to. The advantage to this approach is that you can use the application security models that are available for each registered data source.
Analytic reports and data source security
Support for navigation on Analysis Services reports provides users with the ability to gain understanding of their business beyond what a static report might convey. The report-level security for members of Editor roles and Reader roles allows users to share relevant data to a specific set of people. Editor role or Reader role permissions on an analytic report do not prevent users from seeing the data beyond what the intended view allows. In this situation, security on the data source is the only way to limit access to cube data. Once a user has access to a data source referencing an Analysis Services OLAP cube, the user can see all of the data in that cube unless access is restricted in Analysis Services. By default, Monitoring Server connects as a single user for all data sources.
Data source connection strings
Monitoring Server provides users with the ability to specify their own connection strings for many of the supported data source types. If you choose to specify a set of credentials as part of the connection string, then you need to be aware that these credentials will not be encrypted and can be stored directly in the workspace of whoever has access to the data source.
Warning
We recommend that you do not supply credentials as part of a connection string.
Deployments of SharePoint Products and Technologies
We recommend that the Monitoring Server application pool identity account match the Monitoring Server Web sites. This ensures that if you are using the default configuration, your reports and scorecards are executed under the same user context. If you choose to use the Bpm.ServerConnectionPerUser property, we still recommend simplifying the configuration of Kerberos. Note that the process running your deployment of SharePoint Products and Technologies is going to have access to the metadata repository for Monitoring Server. Make sure that your deployment restricts who can publish content, as those users might be able to access Monitoring Server data.
IIS configuration
In addition to the configuration of the application pool identity and the Web.config file, you must further secure Monitoring Server by enabling SSL for all the relevant Web sites. We do not recommend using anything other than Integrated Windows authentication and using a non-default port. We recommend using Integrated Windows authentication and a default port.
Download this book
This topic is included in the following downloadable book for easier reading and printing:
See the full list of available books at Downloadable content for PerformancePoint Monitoring Server.