All PerformancePoint content is
stored in SharePoint, which makes it easy for employees to share and re-use
that content. But what about content that you want to restrict? This article
will give you instructions for locking down PerformancePoint content in
SharePoint.
Note: Data-level security, which
allows you to limit the data that users can access through analysis of
published reports, is outside the scope of this blog.
The
Prerequisites
Before we get into the different
security settings, let’s make sure that all our ducks are in a row. First of
all, you will need to be a site collection administrator to enable the site
collection features. If you are not one, then you will need to contact one and
ask them to make some of these prerequisite changes for you. Your SharePoint administrator
can tell you who your site collection administrators are.
Next, you need your
PerformancePoint-enabled lists and document libraries to be available to the
Dashboard Designer. If they aren’t, you won’t be able to save content to those
locations. If you’re using the Business Intelligence Center site
template, you will already have a data connection library called Data
Connections and a content list called PerformancePoint Content and
should be good to go. If you aren’t, or if you want to use a site template
other than the BI Center template, you need to make sure the proper features
are active. Enabling these features will allow you to select
PerformancePoint-specific list and library templates from the Create
menu under Site Settings when creating a new list or library
specifically for BI. To do this, go to the home page for your site and, from
the Site Actions link in the upper-left corner, select the link at the
bottom, Site Settings.
 |
|
The Site Actions Menu
|
In the Site Collection Administration
section, select Site collection features and make sure that SharePoint
Server Publishing Infrastructure and PerformancePoint Services Site
Collection Features are both active and enabled in that order. In the Site
Actions section, select Manage site features and make sure that PerformancePoint
Services Site Features is active.
Next we need to set up data
connection libraries and content lists. Data connection libraries (also called
data source libraries) contain files called data sources that give
PerformancePoint objects access to the data it needs to consume. Content lists,
which are really just SharePoint lists with the appropriate content types,
contain all other PerformancePoint content such as reports, scorecards, and
dashboards.
If you need or want to create new
libraries or lists, click the All Site Content link on the site home
page and then click Create.
 |
|
All Site Content for a Site
|
To create a data connections
library, go to the Libraries section and click DataConnections
Library for PerformancePoint. To create a new content list, go to the Custom
Lists section and click PerformancePoint Content List. In either
case, all you need to do is provide a name and then click Create. The
great thing about these list and library templates is that they include the
proper content types that make them visible to the Dashboard Designer.
Assigning
Permissions in Lists and Libraries
When the Dashboard Designer needs to
connect to SharePoint, it uses the Windows identity of the current user.
Therefore, either that user or a group that that user belongs to needs to have
the appropriate level of permissions in SharePoint for anything they need to
access or save back to SharePoint.
In order to assign those permissions
on the site home page, open the Site Actions menu and click on Site
Permissions.
 |
|
Site Permissions
|
Click on the Grant Permissions
button to assign permissions to the entire site for a specific Windows user or
group. From this new dialog, add the users or groups to assign permissions to.
Then you can either add them to an existing SharePoint group with preset
permissions or individually specify the permissions yourself.
For users that only need to add,
edit, or delete content in Dashboard Designer, adding them to the BI Members
group (or directly giving them the equivalent of Contributor permissions)
is sufficient. Users that need to be able to deploy dashboards to SharePoint
will need to be added to the Designers group (or directly given the
equivalent of Designer permissions).
Say for instance that you have a
user who needs Read permissions on a deployed dashboard but you do not
want them to be able view data source connection strings, which would normally
be shown for these users. This is fairly common because these connection
strings can contain credentials in plaintext, which you will likely want very
few people to have access to. You can do this by setting up customized
permission levels. Click on Permission Levels from the Site
Permissions page and then click on the Read permission level. Once
the Read details come up, click on Copy Permission Levels. Give
the new permission level a name and then scroll down to the bottom and unselect
the Open Items permissions in the List Permissions section, which
is the specific permission PerformancePoint looks for when determining whether to
show connection strings. Click Create after you’re done. If you want to
start with an empty permission set, you can just click on Add a Permission
Level from the Permission Levels screen. Your new permission level
will show up in the Grant Permissions dialog.
What would you do if you have a user
that wants to be able to save drafts of content in a private area that only
they have access to? Fortunately, it is easy to apply permissions for specific
lists and libraries. You can even apply permissions to individual items within
lists or libraries if, for instance, you have a data source that only certain
people should use because it accesses sensitive information. Open a data
connection library or content list in SharePoint. Bring up the Library
toolbar for data connection libraries or the List toolbar for content
lists. Click on the List Permissions icon.
 |
|
List Permissions for a Site
|
Click on Stop Inheriting
Permissions for the list or library and then assign permissions as before.
To apply permissions to a single
item, bring down the dropdown menu for a single item and click Manage
Permissions (or you can click on the item directly and click Manage
Permissions in the new dialog). From here, click on Stop Inheriting
Permissions for the item and then assign permissions as before.
Note: While it is possible to apply
permissions to individual scorecards, it is NOT possible to apply permissions
to individual annotations within a scorecard. These can only inherit the
permissions of the scorecard they are attached to.
The
Unattended Service Account
The Unattended Service Account (USA) is used by default in
PerformancePoint data sources to connect to external data sources such as
Analysis Services. It is a property associated with a PerformancePoint service
application, so many users may use the USA concurrently if they are all using
data sources that use the USA. You can set or change the USA by going to the Application
Management section in Central Administration and selecting Manage
Service Applications, clicking on any service application of type PerformancePoint
Service Application, and then selecting PerformancePoint Service
Application Settings.
 |
|
Setting the USA from the Properties page for a service
application
|
The USA should be associated with an
account that has been created specifically for this role. It should not be an
existing user account. And since it connects to your back-end data, it is
important to restrict the rights of the USA as much as you can get away with.
While it does need to able to read data from these data sources and execute
queries against them, it should never have permission to create, edit, or
delete content. There are no PerformancePoint features that require these
permissions and granting them exposes your back-end data to unnecessary risk.
Trusted
Locations
PerformancePoint uses SharePoint
trusted locations to determine which objects it trusts to execute queries
against back-end data sources like SQL Server. So if you want to be able to
render and do ad-hoc analysis on an Analytic Chart report, both the chart
object and its data source object must be located within trusted locations.
By default, PerformancePoint trusts
all locations and lists in SharePoint. However, you can change this so that
only individual libraries or lists are trusted by PerformancePoint.
Bring up the Central Administration
page for SharePoint and in the Application Management section, click on Manage
service applications. Then click on any service application whose type is PerformancePoint
Service Application. From here, you can click on Trusted Data Source
Locations or Trusted Content Locations to manage trusted locations
associated with the current service application. Switch to Only specific
locations to tell SharePoint to only trust the locations you specify. Then
click on Add Trusted Data Source Location or Add Trusted Content
Location.
 |
|
Copy Library/List URL into the Trusted Location Dialog
|
If you only want to trust a single
data connection library or content list, copy the URL for that library or list
into the Address field. If you want to trust all data connection
libraries or content lists within a given site or site collection, copy the URL
for the site or site collection into the Address field and make sure the
Location Type is correct. Click on the button to the right of the Address
field to validate the URL. If done correctly, you should be able to select the
proper location type for the trusted location. Click OK and you’re done.
All content in this library or list will now be considered to be trusted by
SharePoint.
We’ve only scratched the surface of
security in PerformancePoint and SharePoint, but I hope that this introduction
has given you the basic knowledge you need to ensure that your data gets to the
people who need it, and ONLY those people. In the future, we will go beneath
the surface and go into a more detailed discussion of some specific security
topics.
No comments:
Post a Comment