Authorization and permissions in PerformancePoint Services (SharePoint Server 2010)

 

Applies to: SharePoint Server 2010 Enterprise

Planning permissions and roles

PerformancePoint Services uses the SharePoint Server security model to control user access to various functionality and tasks. There are subtle yet significant changes in working with PerformancePoint Services in Microsoft SharePoint Server 2010 over Microsoft Office PerformancePoint Server 2007. In Microsoft Office PerformancePoint Server 2007, Monitoring Server has its own server and database that stores metadata and content. In Microsoft Office PerformancePoint Server 2007, security is applied globally at the server level and on each individual object.

In SharePoint Server 2010, the PerformancePoint metadata content is stored in SharePoint lists and document libraries. You therefore need to understand the differences between the assignment of permissions and roles between Microsoft Office PerformancePoint Server 2007 and SharePoint Server 2010.In Microsoft Office PerformancePoint Server 2007, the administrator on the server computer is automatically made an administrator. In SharePoint Server 2010, that individual is not automatically made an administrator. If needed, this assignment may be done manually.

Roles and permissions

PerformancePoint Services uses SharePoint Server authorization groups and permissions. As you plan how your users will use the service, review the primary SharePoint Server roles.

  • Farm Administrator:   In order to edit Dashboard items, this role needs at least contributor permissions on content lists (or list items) and data source libraries (or library items).

  • Site collection Administrator  In order to edit Dashboard items, this role needs at least contributor permissions on data source libraries (or library items).

  • Site Administrator or List/Document Library contributor:   In order to edit Dashboard items, this role needs at least contributor permissions on content lists (or list items) and data source libraries (or library items).

Important

If any person or role is tasked with re-deploying Dashboards after they have been imported from Microsoft Office PerformancePoint Server 2007, that person or role must have at least Designer permissions.

We recommend as a best practice that you create new SharePoint groups (or leverage existing ones) to help organize your roles within PerformancePoint Services. If you establish clear permission groups by work role you can keep better control over who has access to what.

The four server roles that are available in Microsoft Office PerformancePoint Server 2007 loosely map to predefined roles in SharePoint Server 2010. In PerformancePoint Services, they are Admin, Power Reader, Data Source Manager, and Create. In addition, two additional roles of Editor and Reader at the individual item level are set within Dashboard Designer. The table below maps out how roles in PerformancePoint Server 2007 map to PerformancePoint Services in Microsoft SharePoint Server 2010.

Important

Being an administrator on the server does not automatically add you as an administrator in PerformancePoint Services in Microsoft SharePoint Server 2010.

PerformancePoint Server 2007 role PerformancePoint Server 2007 Permissions PerformancePoint Services in Microsoft SharePoint Server 2010 role Comments

Admin

Edit any item and create new items

Contributor:   Data Content and Data Sources

Power Reader

Read any items (used for SDK processes)

Read:   Data Content and Data Sources

Data Source Manager

Create new items (data sources only)

Contributor:   Data Sources only

Creator

Create new items (except for data sources)

Contributor:   Data Content Only

Item Permissions

Editor

View, edit or delete the item

Contributor

Reader

View the item

None

Another way of approaching access needs is to look at the permissions based on the tasks:

User task PerformancePoint Services in Microsoft SharePoint Server 2010 Permissions Required

Launch Dashboard Designer

None, other than being an authenticated user in SharePoint Server 2010

Create PerformancePoint Dashboard items and save them to a SharePoint list or document library.

Contributor

Perform all Contributor tasks plus publish PerformancePoint Dashboards

Designer

View PerformancePoint Dashboards and use interactive features

Read

Manage user permissions for Dashboard items

Full Control (Site) or Site Collection Administrator

See Also

Concepts

Plan for PerformancePoint Services security (SharePoint Server 2010)