Date post: | 07-Dec-2014 |
Category: |
Business |
Upload: | wwwpanoramacom |
View: | 944 times |
Download: | 1 times |
Necto TrainingModule 9: Necto Architecture and Security
Agenda
Necto ArchitectureNecto Security
Server Architecture
Prerequisites
Windows 2008
Necto Software
Necto Server
Customer DataData Warehouse
Analysis Server
IIS
Client
Necto Server
BI Services
Windows 2008
Necto Software
Necto Server
Customer DataData Warehouse
Analysis Server
BI Server
NovaView.aspx
IIS
Necto Server
Client
BI CalculationsBI Display
Administrative Services
Windows 2008
Necto Software
Necto Server
Customer DataData Warehouse
Analysis Server
BI Server
Admin ServerSocial
NovaView.aspx
Admin Web Services
IIS
Necto Server
Client
Administration of:• Workboard trees• Social• Users and roles• Etc.
Necto Server Data Calculation and Storage
Windows 2008
SQL Express
Necto Software
Necto Server
Necto DB
Necto Calculations Server/s
SQL Server
BI Server
Admin ServerSocial
NovaView.aspx
Admin web services
IIS
Necto Server
Client
Both BI and Admin servers use this work area
Can use SQL express installed with Necto
or
Recommended: separate SQL servers
Universal Data Connector (UDC)
SQL
Windows 2008
Necto Software
Necto Server
Customer dataData WarehouseUDC
LB
Analysis Server
Analysis Services instance
UDC
BI Server
Admin ServerSocial
NovaView.aspx
Admin Web Services
IIS
Necto Server
Client
Data Sources
Provides connection to additional data sources
Performs load balancing of UDC requests
Creates and updates cubes
Necto Architecture Summary
SQL
Windows 2008
SQL Express
Necto Software
Necto Server
Customer DataData WarehouseUDC
LB
Necto DB
Necto Calculations Server/s
Analysis Server
Analysis Services instance
SQL Server
UDC
BI Server
Admin ServerSocial
NovaView.aspx
Admin Web Services
IIS
Necto Server
Client
Data Sources
Security
Security Overview Content Security
Data (OLAP ) Security
Roles
• Which portions of the data will be available
• Defined in terms of Dimensions and Members
Users
• Which workboards will be available
• Can be implemented by user name or by the role the user belongs to
Content Security
OLAP Security
Roles
Users
Data (OLAP ) Security
Data (OLAP) Security
Users are added to roles in a SSAS cubeRoles specify which objects and members will be available to usersUsers must be part of an Active Directory domain and imported into Necto Dashboard
OLAP Domain Users
Roles
User
Groups
UserUser
Users and Roles
Roles
NectoOLAP Domain Users
Roles
User
Groups
UserUser
Domain Users
Import
Groups
Roles can be added manually
When an active directory user logs into Necto – a user is created in Necto
Server Users
From Necto Server
Necto Users
Manually defined
Data (OLAP) Security
Users are added to roles in a SSAS cubeRoles specify which objects and members will be available to usersUsers must be part of an Active Directory domain and imported into NovaView DashboardNecto and Server users can be mapped to domain users
For example: a guest user
Roles
Necto
Server Users
Domain Users
Necto Users
Groups
Role vs. User Based Security
Users
Content Security
Data (OLAP ) Security
RolesBoth security methods can be implemented per role or per user.What should I use?
Analysis Server
Role vs. User Based Security
Connection to data source is defined by:Server, database, cube, security (Role or User)
Role-based security enables reuse of connection
Better efficiency of Necto and AS
Necto Server
Content Security
Data (OLAP ) Security
Roles
Users
Content Security
Content Security
Public WorkboardsAccess rights (permissions) are assigned by administrator per role
Private foldersPer userUser can share with users or roles
Shared folders of other users
Best Practice:• Public folders – view-only for most
users• Users should create new
workboards in their private folder
Content Permissions Levels
Name Weight Description
Admin 5All administrative rights, including giving rights to others
Deny 4The user will see that the workboard existsbut will not be able to view it
Write 3User will be allowed to change and edit the workboard
Read 2 View only
Hidden 1
The user will not see that the Workboard existsTherefore will not be able to access it
None 0No permission has been assigned. Permissions will be inherited from parent folder
Role A = Permission Admin
User James Part of Role A
Permission = Inherit Admin
Admin 5
Deny 4
Write 3
Read 2
Hidden 1
None 0
Role A
Role A = Permission Admin
Breaking InheritanceIf Same Role Take Last, Unless Admin
Permission – Inherit Admin
Role A = Permission Hidden
Role A = Permission Read
Permission – Inherit Hidden
Role A = Permission Hidden
Role A = Permission Read
Permission – Inherit Deny
Role A = Permission Deny
Same Role, Take Last, Unless Admin
Same Role, Take Last
Same Role, Take Last
Admin 5
Deny 4
Write 3
Read 2
Hidden 1
None 0
Role A = Permission Admin
Combining Hierarchies – User James is Member of Role A & B
Permission – Inherit Admin
Role B = Permission Hidden
Role A = Permission Read
Permission – Inherit Read
Role B = Permission Hidden
Role A = Permission Read
Permission – Inherit Deny
Role B = Permission Deny
MAX(Admin, Hidden)
MAX(Read, Hidden)
MAX(Read, Deny)
Admin 5
Deny 4
Write 3
Read 2
Hidden 1
None 0
Role ARole B
Role A = Permission Hidden
Breaking & Combining HierarchiesFirst Break Then Combine
Role A = Permission Read
Role A = Permission Hidden
Role A = Permission Deny
Role A = Permission Admin
Role A = Permission Read
Role A = Permission Hidden
Role A = Permission Deny
Role B = Permission Admin
Role B = Permission Admin
Role B = Permission Read
Role B = Permission Hidden
Role B = Permission Deny
Role C = Permission Read
Role C = Permission Hidden
Role B = Permission Read
Admin 5
Deny 4
Write 3
Read 2
Hidden 1
None 0
Remove
Remove any role that James is not a part of
Role A = Permission Hidden
Removing Role C“James is a Member of Role A & B”
Role A = Permission Read
Role A = Permission Hidden
Role A = Permission Deny
Role A = Permission Admin
Role A = Permission Read
Role A = Permission Hidden
Role A = Permission Deny
Role B = Permission Admin
Role B = Permission Admin
Role B = Permission Read
Role B = Permission Hidden
Role B = Permission Deny
Role C = Permission Read
Role C = Permission Hidden
Role B = Permission Read
Admin 5
Deny 4
Write 3
Read 2
Hidden 1
None 0
Break Hierarchy
In each role use Thumb Rule 1: Break Hierarchy
“Use last folder permission unless Root = Admin”
Role A = Permission Hidden
Breaking Hierarchies“Use last folder permission unless Root = Admin”
Role A = Permission Read
Role A = Permission Hidden
Role A = Permission Deny
Role A = Permission Admin
Role A = Permission Read
Role A = Permission Hidden
Role A = Permission Deny
Role B = Permission Admin
Role B = Permission Admin
Role B = Permission Read
Role B = Permission Hidden
Role B = Permission Deny
Role B = Permission Read
Role A = Permission Deny
Role B = Permission Admin
Admin 5
Deny 4
Write 3
Read 2
Hidden 1
None 0
Combine
The highest permission is selected
Role A = Permission Hidden
Combining Hierarchies”The highest permission is selected”
Role A = Permission Read
Role A = Permission Hidden
Role A = Permission Deny
Role A = Permission Admin
Role A = Permission Read
Role A = Permission Hidden
Role A = Permission Deny
Role B = Permission Admin
Role B = Permission Admin
Role B = Permission Read
Role B = Permission Hidden
Role B = Permission Deny
Role B = Permission Read
Role A = Permission Deny
Role B = Permission Admin
Admin 5
Deny 4
Write 3
Read 2
Hidden 1
None 0
Role A = Permission Hidden
Breaking & Combining HierarchiesFirst Break, Then Combine
Role A = Permission Read
Role A = Permission Hidden
Role A = Permission Deny
Role A = Permission Admin
Role A = Permission Read
Role A = Permission Hidden
Role A = Permission Deny
Role B = Permission Admin
Role B = Permission Admin
Role B = Permission Read
Role B = Permission Hidden
Role B = Permission Deny
Role B = Permission Read
Permission – Inherit Admin
Admin 5
Deny 4
Write 3
Read 2
Hidden 1
None 0
Summary
In this lesson you have learned about:
Necto ArchitectureNecto Security
Thank youAny Questions?