Monitoring Server security considerations
Updated: 2009-04-30
The following sections describe the security features available in Monitoring Server.
Authentication
Monitoring Server relies on Microsoft Internet Information Services (IIS) domain authentication to authenticate user access to the application. Any active user in a trusted domain has access to the Web service, but without specific object- or server-level roles, the user does not have permission to create or view any metadata on the server.
Monitoring Server is configured with a predefined set of roles in the database repository. Authorization is based on a comparison among the user, the groups that the user belongs to, and the Monitoring Server roles assigned to the user.
Application security
Monitoring Server provides several roles that define the permissions to administer or create dashboard elements. In Dashboard Designer, users and groups from the Active Directory directory service are assigned to these roles.
In addition to the basic roles on the system, there are the dashboard element roles of Editor and Reader, which apply to the individual elements on the server. These dashboard elements include reports, scorecards, and the definition of the dashboard itself.
Kerberos delegation security
Impersonation allows for a Web application or Web service to act on behalf of the identity of another entity in order to access local resources, rather than as the process identity. Delegation allows a Web application or Web service to use the impersonation token to access remote network resources.
Scenarios that require the use of delegation are commonly referred to as "double-hop" scenarios. Delegation operates based on Integrated Windows authentication and the Kerberos protocol. Monitoring Server requires delegation if the Bpm.ServerConnectionPerUser property is set to True in the Web.config file and the services and Web sites that are registered as data sources are installed on remote computers. The Bpm.ServerConnectionPerUser setting forces Monitoring Server to attempt to use the authenticated user's identity when communicating with external data sources, such as Analysis Services.
See the PerformancePoint Server 2007 Deployment Guide for information on configuring Kerberos delegation.
Download this book
This topic is included in the following downloadable book for easier reading and printing:
See the full list of available books at Downloadable content for PerformancePoint Monitoring Server.