PerformancePoint Dashboards and SSAS roles

Who is online?  0 guests and 0 members
Home  »  Forums   »  information worker   »  sharepoint   » PerformancePoint Dashboards and SSAS roles

PerformancePoint Dashboards and SSAS roles

Topic RSS Feed

Posts under the topic: PerformancePoint Dashboards and SSAS roles

Posted: 10/5/2011

jmbaute
jmbaute
Jedi Youngling 94  points  Jedi Youngling
  • Joined on: 6/17/2010
  • Posts: 27

I'm trying to test the content seen by a user based on his windows user group. In SSAS I have two roles, one called 'Non Sensitive' that allows a user to see a certain set of data (a single cube). Next, I have an additional role called 'Sensitive' that gives the user access to an additional cube. Both roles are based on Windows groups created on the local machine (which is the entire test environment- no active directory, domain, etc)

When I browse the cubes in SSMS, testing the various roles, they behave as expected, that is the Non Sensitive user can't see the sensitive cube, and the sensitive user can see both cubes.

In Performance Point, I built a dashboard that shows one measure of the Sensitive cube, using a per user identity data source.  The sensitive user is able to see the data, but when I remove this account from the 'Sensitive' Windows group, the content is still accessable to the user. Additionally, when I browse the dashboard as the non-sensitive user, the dashboard displays 'error' where the KPI should be (which I suppose may be correct but I would have expected a blank field instead of an error mesage). If I elevate this user account by placing him in the Sensitive windows group, I get the same result (Error).

It seems like it should work 'all or nothing', not like this. Does anyone have any sugestions on what to check? I've pasted the errors seen in the event viewer for the non-sensitive user below. These occur when the dashboard loads and errors out.

Thanks in advance,

John B

 

An error occurred querying the DataSource named 'Secure Per User'. Server: localhost Database: MPSDI Cube: MPSDI Secure Exception: Microsoft.PerformancePoint.Scorecards.BpmException: You do not have permissions to see this data or the server is unavailable.

Microsoft.AnalysisServices.AdomdClient.AdomdConnectionException: The connection either timed out or was lost. ---> System.IO.IOException: Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host.

Posted: 1/5/2012

MarkGStacey
MarkGStacey
Padawan 1317  points  Padawan
  • Joined on: 12/10/2009
  • Posts: 36

Hey John

 

 

Issue is a double hop one:

 

If you're using "Unattended Service account", that account is used to login to the cube.

If you're not, and Kerberos and Delegation are not setup correctly, the PPS service account will log into the cube.

 

MS has a very detailed whitepaper on getting Kerberos and Delegation setup for Sharepoint 2010, called "SP2010 Kerberos Guide.docx"

 

do a search, and ping me if you need more assistanc
Page 1 of 1 (2 items)