Grant permissions on stored procedures (Analysis Services)

Topic Status: Some information in this topic is preview and subject to change in future releases. Preview information describes new features or changes to existing features in Microsoft SQL Server 2016 Community Technology Preview 2 (CTP2).

Stored procedures, or assemblies, in Analysis Services are external routines, written in a Microsoft .NET programming language, that extend the capabilities of Analysis Services. Assemblies let the developer take advantage of cross-language integration, exception handling, versioning support, deployment support, and debugging support.

You must be a Server Administrator to register an assembly. See Configure Analysis Services Server Administrators.

Security context for stored procedure execution

Any user can call a stored procedure. Depending on how the stored procedure was configured, the procedure can run either in the context of the user calling the procedure or in the context of an anonymous user. Because an anonymous user has no security context, use this capability together with configuring the instance of Analysis Services to permit anonymous access.

After the user calls a stored procedure but before Analysis Services runs the stored procedure, Analysis Services evaluates the actions within the stored procedure. Analysis Services evaluates the actions in a stored procedure based on the intersection of the permissions granted to the user and the permission set used to run the procedure. If the stored procedure contains any action that cannot be performed by the database role for the user, that action will not be performed.

Following are the permission sets that are used to run stored procedures:

  • **Safe   **With the Safe permission set, a stored procedure cannot access the protected resources in the Microsoft .NET Framework. This permission set only allows for computations. This is the safest permission set; information does not leak outside Analysis Services, permissions cannot be elevated, and the risk of data tampering attacks is minimized.

  • **External Access   **With the External Access permission set, a stored procedure can access external resources by using managed code. Setting a stored procedure to this permission set will not cause programming errors that could lead to server instability. However, this permission set may result in information leaking outside the server, and the possibility of an elevation in permission and data tampering attacks.

  • **Unrestricted   **With the Unrestricted permission set, a stored procedure can access external resources by using any code. With this permission set, there are no security or reliability guarantees for stored procedures.

See Also

Concepts

Multidimensional Model Assemblies Management