I am investigating how to secure access to msdmpump.dll from the client, and I think that the only way is to introduce a server-side (Web Api) service as an intermediary between msmdpump.dll and the client application. Is that correct?
Assuming it is, could you provide some guidance on how to implement Web Api to do this?
17 Answers, 1 is accepted
We are not sure what you mean here `I am investigating how to secure access to msdmpump.dll from the client`.
However you can use ADOMD to feed the PivotGrid with data. This way the request to the msmdpump.dll is made on server, while the client requests sort of proxy to it. The following code-library demonstrates how to implement this: bind-to-adomd-client.
Does this effectively mean that the ajax version of pivotgrid is a tighter more secure option (as i am guessing the SSAS commands for ajax are generated server side) than the kendo version, for this dynamic stuff where commands would seem to be formed on the client.
Unless you can suggest some sort of gatekeeper layer at the server?
Please note personally everything about kendo pivotgrid appeals to me, just wanting to explore security issues / possibilities,
In general, the PivotGrid bound to OLAP service will perform Ajax requests using the XMLA protocol, nothing more. In other words, the pivotgrid generates a XMLA request and sends it to the OLAP service. If it returns any result then the widget will render them.
That being said, it should be sufficient to secure the access to the OLAP service requesting an authentication information. Here is a thorough MSDN help document on the same subject.
I am evaluating Kendo UI pivotgrid. We need to communicate to SSAS cube using msmdpump.dll site on IIS. We need to specify userid and password. We have configured only Basic authentication and Impersonation on the web site.
Where do we specify userid/password in the configuration?
transport.read does not seem to have userid and password attributes?
I am trying with the following set up...but it does not connect to the cube.
Using the following I can largely resolve the issue.
$.support.cors = true;
Still IE8 complains about web page accessing data not under its control.
I can try ajax function as an argument of transport.read. Is there a declarative way to handle the settings better?
I would suggest you review the "Access the cube securely" help topic:
With regards to the older browsers that does not support CORS, I would suggest you use proxy for communication. Thus you will be able to request the cube more securely too.
OK, two steps forward and one step back.
It seems that you can't specify a username in an ADOMD connection string, and you can only log in to SSAS using a Windows account. Therefore I had to set the app pool on the web server to use my domain account.
Even so, I'm getting a lot of errors: The <CubeName> cube either does not exist or has not been processed. Which I think is symptomatic of a permissions or connection issue between the web server and SSAS.
Any ideas or suggestions for fixes?
In general, access authorization is a tricky task when it comes to data bases, cubes, IIS. What I would suggest you is to request the exposed service directly using a simple Ajax request:
I am afraid that we would not be able to assist you with this particular task, as it falls out of the scope of the entitled support service.
Finally got a workable approach.
While the username, password, effectiveusername fields in the ADOMD connection string either are ignored or don't work, crucially, the Roles field does.
Therefore, with IIS set to run as a domain user that is an administrator in SSAS, we can set up roles in SSAS and by specifying the role name in the connection string (the web server code first matches a user to a the correct role) ensure that dimension security is enforced.
so, i use similar code from the project below.
how can i pass parameter before i load the grid. for instance, i want to show only specific client data from the cube. i have client id available on html/cshtml view. how can i pass it to below and display only that specific client related data only. i dont want to show all clients data but only one client that is associated with user logged in.
public ActionResult Read([PivotDataSourceRequest] PivotDataSourceRequest request)
The described scenario to show only specific data to the user sounds like the data should be filtered.
You may pass the filter configuration as shown in the how-to article at:
Let me know what you think and if you need more information, please do not hesitate to get back to me.