Plan for PerformancePoint Services security (SharePoint Server 2010)
Updated: May 26, 2011
In PerformancePoint Services in Microsoft SharePoint Server 2010, the objects that are stored in lists and document libraries are secured by the Microsoft SharePoint Server 2010 security model. On top of that model, PerformancePoint Services adds product features to the basic SharePoint Server 2010 framework to ensure that data sources and dashboard content are secure and protected from unwarranted access. Even though PerformancePoint Services has a dependency on the SharePoint Server 2010 security model, there are still special security considerations to consider and therefore plan and manage. All service-based security settings are managed within the SharePoint Server Central Administration Web site to make it easier to manage shared resources and user access.
This article describes areas to plan for in authentication, authorization, and data source authentication.
In this article:
View a chalk talk
In this video, Microsoft Senior Test Lead Kevin Beto provides an overview chalk talk about authentication methods that you can use with PerformancePoint Services.
Running time: 8:55
For an optimal viewing experience, download the video (http://go.microsoft.com/fwlink/p/?LinkId=218209).
Right-click the link, and then click Save Target As to download a copy. Clicking the link will open a .wmv file in the default video viewer for full-resolution viewing.
In PerformancePoint Services, you can choose between three methods for data source authentication.
Per User Identity: Each user’s own account is used to access all data sources. This method requires Kerberos delegation. A domain administrator must configure the Kerberos delegation between PerformancePoint Services and the data sources.
External data sources must reside within the same domain as the SharePoint Server 2010 farm. If external data sources do not reside within the same domain, authentication to the external data sources will fail. For more information, see Planning considerations for services that access external data sources in “Services Architecture Planning.”
Unattended Service Account: A single shared user account is used to access all data sources. This is a low privileged domain account stored in the Secure Store Service. In establishing your unattended service account, first determine whether this account has the necessary access to the data sources that will be required in the Dashboard.
Custom Data: Provides the ability for SQL Server Analysis Services to include the currently authenticated user name as a parameter on the custom data field in an Analysis Services connection string. The Custom data option is only used for Analysis Services data sources and can be used against Analysis Services 2005 and 2008 servers.
In PerformancePoint Services, data source connections are contained in document libraries and data content (KPIs, filters, scorecards, etc.) is contained in document lists. In order to help secure the content, and prevent users from running queries against data sources if the objects in the query are not trusted, the lists and libraries must be established as “trusted” locations. The farm administrator has the option to have all locations in the farm set as “trusted” or opt to identify specific locations to trust. Because of the ability to easily define the location in the farm to be secured, the farm administrator is freed from having to help secure the whole farm.
Trusted locations provide an additional layer of security that restricts query execution of data sources or of any object that depends on a data source that is not in a trusted location. The document library or any parent object up to the web application can be defined as trusted. In PerformancePoint Services, the configuration of trusted location settings is managed centrally through Central Administration. Configuration can also be managed by using Windows PowerShell 2.0 cmdlets. As you plan the security of PerformancePoint Services, consider if you want or have to secure your whole web application or to more tightly manage the location of secure data.
For example: Locations inside a farm that are independently marked as “trusted” have the following SharePoint Server 2010 hierarchy for either data content or data sources:
Disable the use of Trusted Locations for either data sources or content for the whole farm.
Trust lists or document libraries in the web application.
Trust lists or document libraries in a site collection including any child sites.
Trust lists or document libraries in a site.
Trust a single list or document library in the farm.
When verifying whether a location is trusted, the server will check whether Trusted Locations is enabled. If that property is enabled, the server will check the list of trusted locations starting at the site collection and continuing with each lower level of the hierarchy to verify that the content is trusted.
Items that do not use a data source do not have to be in a trusted location to be rendered. This includes Web pages, static KPIs, dashboards, and indicator icons.
Trusted data source locations cannot be defined on a list and Trusted content locations cannot be defined on a document library.
Trusted data content libraries
Trusted data content libraries are SharePoint Server 2010 document libraries that contain PerformancePoint Services data connection (.ppsdc) files. The .ppsdc files are used to centrally manage connections to data sources. These include SQL Server databases, OLAP cubes, relational databases, and Excel Services spreadsheets.
The data sources are defined in Dashboard Designer and stored in a trusted data connection library on SharePoint Server 2010. A trusted data connection library is a document library that you have determined as safe. It restricts the use of the data source files, but still enables them to be read. A document library is created by default when provisioning PerformancePoint Services, however. Administrators can manage data connections on the server by creating more than one data connection library. If a user updates data source connection in the document library, the information is shared and updated when a workspace file is opened in Dashboard Designer.
Trusted lists for dashboard content
Reports, scorecards, KPIs, and filters are all required to be stored in a trusted SharePoint Server 2010 list. The list or any parent object up to the site collection can be defined as trusted during the initial configuration or later via Central Administration.
Data source security
In PerformancePoint Services the security setting for data sources is stored in each data source. The setting that determines whether the server uses the currently authenticated user, unattended user account, or unattended user account using custom data is configured on each data source.
The Secure Store Service and Unattended Service accounts
The SharePoint Server 2010 Secure Store Service provides the capability of securely storing data such as credentials and associating them to a specific identity or group of identities. The Secure Store Service is present on all SharePoint Server 2010 farms.
In PerformancePoint Services, each data source can be configured to use the currently authenticated user credentials or the “Unattended Service Account”. The unattended service account is a set of domain credentials that are impersonated when connecting to a data source. The server uses the unattended service account instead of the managed account for data source queries to prevent the PerformancePoint Services process from accessing the content database during query execution.
PerformancePoint Services stores and retrieves unattended service account credentials in the Secure Store Service. Because the server must keep both the user name and password in order to impersonate the user, the password for the unattended service account is stored in the Secure Store Service. The user name is stored in the PerformancePoint Services database so that it can be accessed and can be displayed in the settings page.
When creating your unattended service account, ensure that the account has the necessary access to the data sources that will be required.
It is important to understand that unattended service account credentials are not cached globally. Instead, they are retrieved from the Secure Store Service only when they are needed. If you open a workspace file in Dashboard Designer with a data source that connects by using the unattended service option and the credentials are not already cached for that connection, the unattended service account password is retrieved from the Secure Store Service and uses the target data source.
Claims-based authentication in SharePoint Server 2010 supports multiple authentication providers on a single web application and is used to pass the users identity between the front-end web servers and the application servers. PerformancePoint Services supports multiple authentication providers only when you use dashboard content through a web browser. Dashboard Designer is not supported when you directly access a URL for any web application that uses multiple authentication providers. In order to use the Dashboard Designer in this configuration, you must extend the web application to configure access to the new URL that is restricted to the Windows authentication provider.
ConceptsConfigure the unattended service account for PerformancePoint Services
Configure claims authentication (SharePoint Server 2010)
Plan authentication methods (SharePoint Server 2010)
Plan for importing PerformancePoint Server 2007 dashboard content to SharePoint Server 2010
Other ResourcesResource Center: Security and Authentication for SharePoint Server 2010
May 26, 2011
Added a chalk talk video about PerformancePoint Services authentication methods.
July 8, 2010
The update clarifies the limitation and scope of PerformancePoint's Dashboard Designer in relation to Claims-based authentication.
June 24, 2010
Additional information included to clarify Dashboard Designer and its limitations in Claims-based authentication.
May 12, 2010