Module 15: Implementing Security

Chia sẻ: Vu Trung | Ngày: | Loại File: PDF | Số trang:38

0
50
lượt xem
6
download

Module 15: Implementing Security

Mô tả tài liệu
  Download Vui lòng tải xuống để xem tài liệu đầy đủ

Tham khảo tài liệu 'module 15: implementing security', công nghệ thông tin, quản trị mạng phục vụ nhu cầu học tập, nghiên cứu và làm việc hiệu quả

Chủ đề:
Lưu

Nội dung Text: Module 15: Implementing Security

  1. Module 15: Implementing Security Contents Overview 1 Introducing Analysis Services Security 2 Understanding Administrator Security 3 Securing User Authentication 5 Understanding Database Roles 6 Implementing Dimension Security 13 Managing Cube Roles 17 Lab A: Implementing Cube Security 27 Review 32
  2. Information in this document is subject to change without notice. The names of companies, products, people, characters, and/or data mentioned herein are fictitious and are in no way intended to represent any real individual, company, product, or event, unless otherwise noted. Complying with all applicable copyright laws is the responsibility of the user. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Microsoft Corporation. If, however, your only means of access is electronic, permission to print one copy is hereby granted. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.  2000 Microsoft Corporation. All rights reserved. Microsoft, BackOffice, MS-DOS, Windows, Windows NT, are either registered trademarks or trademarks of Microsoft Corporation in the U.S.A. and/or other countries. The names of companies, products, people, characters, and/or data mentioned herein are fictitious and are in no way intended to represent any real individual, company, product, or event, unless otherwise noted. Other product and company names mentioned herein may be the trademarks of their respective owners. BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY
  3. Module 15: Implementing Security iii Instructor Notes Presentation: In this module, students will gather the skills necessary to implement security in 60 Minutes Microsoft® SQL Server™ 2000 Analysis Services. Students will learn the concepts and mechanics of administrative permissions, database roles, and cube Lab: roles. In the lab, students create and test a role that uses dimension and cell 30 Minutes security. After completing this module, students will be able to: Understand the use of security in Analysis Services. ! Explain administrator security. ! Describe authentication methods. ! Assign database roles. ! Apply dimension security. ! Manage cube roles. ! Materials and Preparation This section lists the required materials and preparation tasks that you need to teach this module. Required Materials To teach this module, you need the following materials: Microsoft PowerPoint® file 2074A_15.ppt ! Preparation Tasks To prepare for this module, you should: Read all the student materials. ! Read the instructor notes and margin notes. ! Complete all the demonstrations. ! Practice the lecture presentation and demonstration. ! Complete the lab. ! Review the Trainer preparation presentation for this module on the Trainer ! Materials compact disc. Review any relevant white papers that are located on the Trainer Materials ! compact disc. BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY
  4. iv Module 15: Implementing Security Module Strategy Use the following strategy to present this module: Introducing Analysis Services Security ! Explain that Analysis Services allows security to be defined at different levels in online analytical processing (OLAP) databases and cubes—from the server level down to the cell level. Understanding Administrator Security ! Explain that to administer Analysis Services, you must be a member of the Microsoft Windows® 2000 or Microsoft Windows NT® OLAP Administrators group. Securing User Authentication ! Introduce ways to connect to Analysis Server. Explain that user security is controlled by authentication. Understanding Database Roles ! Introduce roles by defining what they are and by giving some key parameters. Introduce the Database Role Manager dialog box and describe its use. Show how to define, delete, edit, and copy a new role. Define database role properties and introduce the Create a Database Role dialog box and how it allows you to define properties of a role. Display the dialog box as you discuss the user interface elements. Implementing Dimension Security ! Introduce dimension security. Explain that, with dimension security, you can prevent users from viewing specified dimension members, and data associated with those members. Show how dimension security is defined by using the Custom Dimension Security dialog box. Display the dialog box as you discuss the user interface elements. Managing Cube Roles ! Introduce the Cube Role Manager, explain dimension and cell security, describe advanced cell security permissions, and introduce administration and custom options. BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY
  5. Module 15: Implementing Security 1 Overview Topic Objective To provide an overview of the module topics and Introducing Analysis Services Security objectives. ! Lead-in Understanding Administrator Security ! In this module, you will learn about Analysis Services Securing User Authentication ! security. Understanding Database Roles ! Implementing Dimension Security ! Managing Cube Roles ! This module teaches you how to implement security in Microsoft® SQL Server™ 2000 Analysis Services. You will learn the concepts and mechanics of administrative permissions, database roles, and cube roles. In the lab, you will create and test a role that uses dimension and cell security. After completing this module, you will be able to: Understand the use of security in Analysis Services. ! Explain administrator security. ! Describe authentication methods. ! Assign database roles. ! Apply dimension security. ! Manage cube roles. ! BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY
  6. 2 Module 15: Implementing Security Introducing Analysis Services Security Topic Objective To introduce the concept of security. Administrator Security ! Lead-in By implementing security in Cube Security ! Analysis Services, you limit access to data. Dimension Security ! Cell Security ! Special Options ! By implementing security in Analysis Services, you limit access to data. Key Point Analysis Services allows security to be defined at different levels and for Database security can be different reasons in databases and cubes. For example, the following are types applied in Analysis Services of Analysis Services security: only when the Analysis Server is installed on an Administrator security defines who can administer an Analysis Server. ! NTFS file system. Cube security allows you to specify which users can read and write to an Therefore, it is ! recommended that Analysis online analytical processing (OLAP) cube. Services always be installed Dimension security allows you to restrict users from viewing specified ! on an NTFS partition. dimension members. Cell security, the most granular level of security, allows you to define the ! cells that users can read and write to. Special options define security for drillthrough, cube linking, and SQL ! queries. Important Database security can be applied in Analysis Services only when the Analysis Server is installed on an NTFS file system. Therefore, it is recommended that Analysis Services always be installed on an NTFS partition. BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY
  7. Module 15: Implementing Security 3 Understanding Administrator Security Topic Objective To explain administrator security. Administrator Security Is Based on Windows 2000 or ! Lead-in Windows NT 4.0 Security Administrator security defines who can administer The User Who Installs Analysis Services Is ! an Analysis Server. Automatically Placed in the OLAP Administrators Group Additional Administrators Must Be Added to the OLAP ! Administrators Group All Administrators Have Identical Privileges ! An Administrator Retains Full Access Privileges when ! Connected through a Client Administrator security defines who can administer an Analysis Server. It is important to understand how to grant administrators the required rights needed to gain access to the Analysis Server. The following are characteristics of administrator security: To administer Analysis Services, you must be a member of the Microsoft ! Windows® 2000 or Microsoft Windows NT® 4.0 OLAP Administrators group. When Analysis Services is installed, a user group named OLAP Administrators is automatically created on the Analysis Server. The user who performs the installation is automatically placed in the OLAP ! Administrators group. Any additional administrators must be added to the OLAP Administrators ! group. You add administrators to the OLAP Administrators group outside Analysis Manager by using Windows 2000 or Windows NT 4.0 user administration. Only one level of administrator privilege exists in Analysis Services. An ! administrator can perform all operations in a database—they can even delete the database. When connected to a cube through a client, administrators retain full read ! and write access to all cubes, dimensions, and cells, regardless of any defined cube, dimension, or cell security. Note Administrators maintain write access to only those cubes that are write-enabled. BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY
  8. 4 Module 15: Implementing Security It is recommended that you establish specific Windows 2000 or Windows NT accounts to administer Analysis Services. Administrators should refrain from accessing Web pages, productivity applications, and e-mail applications that support scripts or macros when using the administrative accounts because of the extensive data access rights of administrative account holders. BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY
  9. Module 15: Implementing Security 5 Securing User Authentication Topic Objective To introduce ways to connect to Analysis Server. Direct Connection ! Lead-in User security is controlled A user connects to Analysis Server directly # by authentication. Authentication is based on credentials granted in the # user domain account HTTP Connection through IIS ! A user connects to Analysis Server through IIS by using # HTTP Analysis Server relies on IIS authentication # User security is controlled by authentication. There are two ways to connect to an Analysis Server, each with its own authentication method. Direct Connection ! When a user attempts to connect to an Analysis Server directly, the server attempts to authenticate based on credentials granted in the domain account of the user. If the connection string specifies a user name and password different from the login account of the user, the specified name and password are ignored. If the credentials of the user do not permit access to the Analysis Server from the network, authentication is unsuccessful and the connection fails. Analysis Services uses Security Support Provider Interface (SSPI), and supports various providers that use SSPI. Internet Information Services (IIS) ! Users can connect to an Analysis Server through IIS by using Hypertext Transfer Protocol (HTTP). A connection string specifies the data source property. When a user attempts to connect through IIS, Analysis Server relies on IIS authentication. If authentication on IIS is unsuccessful, the connection to the Analysis Server is denied. Note IIS provides several authentication methods. For additional information, refer to the Internet Information Services online documentation. BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY
  10. 6 Module 15: Implementing Security $ Understanding Database Roles Topic Objective To describe the concept of roles in Analysis Services. Defining Roles ! Lead-in To give users access to Using the Database Role Manager ! Analysis Services databases and cubes, you Defining Database Role Properties ! must first create roles to assign the access. To give users access to Analysis Services databases and cubes, you must first create roles to assign the access. To effectively manage roles, you need to understand the use of roles in Analysis Services, and how to create roles by using Analysis Manager. In the next section, you will learn about the following security topics relating to roles: Defining roles. ! Using the Database Role Manager. ! Defining database role properties. ! BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY
  11. Module 15: Implementing Security 7 Defining Roles Topic Objective To define Analysis Services roles. Are Used to Grant Access to Analysis Services ! Lead-in Databases and Cubes You create roles to define the access of users to cube Must Be Created—None Exist By Default ! data or data mining models Cannot Be Shared Across Multiple Databases while they connect to ! Analysis Server through Are Automatically Created at the Database Level if You client applications. ! Create Roles at the Cube Level Are Managed in the Database Role Manager and the ! Cube Role Manager You create roles to define the access of users to cube data or data mining models while they connect to Analysis Server through client applications. Each role includes a list of user accounts and groups, and defines the access permissions that these users share. The following are key parameters regarding roles: You define roles for Analysis Services databases and for the cubes in the ! databases. By default, OLAP databases and cubes have no roles. When no roles are ! defined, only OLAP Administrators have access to the cubes. You cannot share roles across multiple databases. ! When you create a cube role, a database role of the same name is ! automatically created. • When you delete a cube role, the database role of the same name is not deleted. • Some properties of a database role are overridden by the corresponding cube or virtual cube roles without changing the properties of the database role. Note Database roles cannot be overridden for a data mining model. For more information on data mining, see Module 17, “Introduction to Data Mining,” in course 2074A, Designing and Implementing OLAP Solutions with Microsoft SQL Server 2000. There are two user interfaces for defining and managing roles—the ! Database Role Manager dialog box and the Cube Role Manager dialog box. To display the Database Role Manager for a database, right-click the database, and then click Manage Roles. To display the Cube Role Manager for a cube, right-click the cube, and then click Manage Roles. BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY
  12. 8 Module 15: Implementing Security Using the Database Role Manager Topic Objective To introduce the Database Role Manager dialog box. Lead-in You use the Database Role Manager dialog box to define and administer roles for the database. You use the Database Role Manager dialog box to define and administer roles Delivery Tip for databases. Roles can be assigned to cubes, including virtual and linked Display the Database Role cubes, and data mining models. Manager dialog box as you discuss the user interface Defining a Role elements. To define a new role for a database, perform the following steps: 1. Right-click the database, and then click Manage Roles. 2. Click New in the Database Role Manager dialog box. 3. Define the role properties by using the Create a Database Role dialog box that is discussed later in this section. Deleting a Role To delete a role in a database, perform the following steps: 1. Right-click the database, and then click Manage Roles. 2. In the Database Role Manager dialog box, click the role you want to delete. 3. Click Delete. Editing a Role To edit a role in a database, perform the following steps: 1. In the Database Role Manager dialog box, click the role you want to edit. 2. Click Edit. BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY
  13. Module 15: Implementing Security 9 Copying a Role To copy a role in a database, perform the following steps: 1. In the Database Role Manager dialog box, click the role you want to copy. 2. Click Duplicate. 3. Enter a name for the new role, and then click OK. BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY
  14. 10 Module 15: Implementing Security Defining Database Role Properties Topic Objective To explain database role properties. Lead-in The Create a Database Role dialog box allows you to define properties of a role. The Create a Database Role dialog box allows you to define the following Delivery Tip properties of a role: Display the Create a Database Role dialog box The users and user groups that belong to the role ! as you discuss the user The cubes to which the role is assigned interface elements. ! The data mining models to which the role is assigned ! The shared dimensions for which you want to restrict user access ! The Create a Database Role dialog box contains interface elements similar to the Create a Cube Role dialog box. Both interfaces are straightforward to use when defining database and cube security. Role Name The role name can be up to 50 characters long. After a role is defined, the role name cannot be changed. Enforce On Roles can be enforced on either the client or the server. By default, roles are enforced on the client. Client enforcement provides superior performance, but increases the risk of unauthorized access. Server enforcement is more secure, but may affect performance. Note Cell security, discussed later, requires that security be enforced on the client. Membership On the Membership tab, you specify which users or user groups belong to the role. Users and user groups must be predefined by using Windows 2000 or Windows NT 4.0 user administration. BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY
  15. Module 15: Implementing Security 11 Cubes On the Cubes tab, you specify the cubes to which the role is assigned. A role can be assigned to any type of cube—regular, virtual, or linked. After a role is assigned to a cube, some properties of the role can be customized for the cube without changing the database role. Mining Models On the Mining Models tab, you specify the data mining models to which the role is assigned. Dimensions The Dimensions tab allows you to restrict access to dimension members. Only shared dimensions display on this tab. To restrict access to a private dimension, you must use the Cube Role Manager dialog box. BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY
  16. 12 Module 15: Implementing Security Implementing Dimension Security Topic Objective To introduce dimension security. Lead-in By using dimension security, you prevent users from viewing specified dimension members and data associated with those members. By using dimension security, you prevent users from viewing specified Delivery Tip dimension members and data associated with those members. For example, the Display the Custom preceding illustration shows a dimension security rule that limits access to Dimension Security dialog Roberta Damstra employees. Any users connecting to the cube through this box as you discuss the user role will see data and dimension members for only Roberta Damstra and her interface elements. subordinate employees at lower levels in the Employee dimension. Dimension security is defined by using the Custom Dimension Security dialog Key Point box, which contains three tabs. By using dimension security, you prevent users from Basic Tab viewing specified dimension members and data The Basic tab on the Custom Dimension Security dialog box provides the associated with those following security properties: members. Select visible levels ! This pane allows you to specify the top and bottom visible levels in the dimension. Use these settings if you want to deny access to entire levels. Select members ! This pane displays a check box next to each dimension member. Selected members are visible to users assigned to the role. Deselected members are not visible to the users. BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY
  17. Module 15: Implementing Security 13 Advanced Tab For complex dimension security, the Advanced tab allows you to enter multidimensional expression (MDX) statements that define the dimension members viewable by users assigned to the role. On the Advanced tab: Data inputs from the Basic tab are represented as MDX statements. You can ! edit the MDX statements directly in the edit boxes, or you can click the ellipsis buttons (…) to display the MDX Builder dialog box. Separate MDX statements define the top viewable level, the bottom ! viewable level, the visible members, and the invisible members. Common Tab The Common tab lists two important features: Visual Totals ! When you enabled this property, members that are hidden because of dimension security are not included in aggregations. When you do not enable the Visual Totals property, a parent member value may not equal the value of its visible children. In addition, when visual totals are disabled, users may be able to deduce the values for hidden members. When you hide dimension members, you normally enable the Visual Totals property to prevent these problems from occurring. Note Visual totals cannot be enabled for a cube containing a measure based on a distinct count. For more information on distinct count measures, see Module 6, “Working with Cubes and Measures,” in course 2074A, Designing and Implementing OLAP Solutions with Microsoft SQL Server 2000. Default Member ! For users assigned to the role, this property—an MDX statement—specifies the default member for the defined dimension. The MDX statement can be a simple member name, or a complex expression that evaluates the member name dynamically. BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY
  18. 14 Module 15: Implementing Security Demonstration: Defining a New Database Role Topic Objective To demonstrate how to define a database role. Lead-in In this demonstration, you learn how to add a new role to the FoodMart 2000 database. In this demonstration, you learn how to add a new role to the FoodMart 2000 Delivery Tip database. Encourage students to follow along with your ! To display the Create a Database Role dialog box demonstration. 1. In Analysis Manager, right-click the FoodMart 2000 database, and then click Manage Roles. 2. In the Database Role Manager dialog box, click New. ! To specify basic properties 1. In the Create a Database Role dialog box, type My New Role in the Role name box. 2. In the Enforce on list, click Server. ! To specify role membership 1. In the Create a Database Role dialog box, click the Membership tab, and then click Add. 2. In the Add Users and Groups dialog box, click any user group, and then click Add. 3. Click OK to close the Add Users and Groups dialog box. BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY
  19. Module 15: Implementing Security 15 ! To assign the role to a cube 1. In the Create a Database Role dialog box, click the Cubes tab. 2. Select the HR cube check box. 3. Click OK to close the Create a Database Role dialog box. 4. Click Close to close the Database Role Manager dialog box. 5. In the FoodMart 2000 database, expand the Cubes folder. 6. Click the HR cube, and then click the Meta Data tab. 7. In the Meta Data pane, scroll down to Roles. Verify that role My New Role is assigned to the cube. BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY
  20. 16 Module 15: Implementing Security $ Managing Cube Roles Topic Objective To introduce the concept of managing cube roles. The Cube Role Manager ! Lead-in This section explains how to Dimension and Cell Security ! manage cube roles. Advanced Cell Security Permissions ! Administration of Custom Options ! This section introduces how to manage cube roles by using the Cube Role Manager. The section also explains dimension and cell security, advanced cell security permissions, and the administration of custom options. BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY
Đồng bộ tài khoản