Hi!

I've a client with questions regarding cube security.  I've explained about role-based security which is driven by Active Directory user account membership in security groups.  I've talked about data-driven security models.  I've described dimensional and cell security ('atomic security').

But one question remains:  how effective is it?  What I believe is really being asked by my client is: how easy is it to crack?

Now, I've never heard of  a direct attack on an SSAS cube succeeding.  Have you?  Have you ever noted a failed intrusion attempt?

I'm well aware that there are many other potential attack vectors, especially if the cracker gains access to the file system.  But here I am talking about a SharePoint-based front end containing the business intelligence portal to the presentation layer.  Authorised self-service users can also gain direct access to the presentation layer via an intranet IP.  These are the access paths I'm talking about.

FYI, although I'm referring to a fully-patched SSAS 2012/2014 installation, I'd like to ask you if you've ever heard of any attempt to crack an SSAS cube, of any version.

Cheers,

Hi Folks . . . does no-one have any opinions on SSAS security effectiveness? . . . Donna

Technically, this is not really a question about SSAS, but Windows AD integrated security.

Due to the way AD security passes "tokens" and not login/password information, it is extremely difficult to "spoof" a valid identity using AD authentication which would be validated in SSAS, or any other integrated security application.

It is much more likely someone with admin privileges will simply add themselves to the AD group with access to SSAS, then do what they want, and remove themselves from the AD group.  Without auditing of the AD group, you would never know.

I would suggest posting your question in the Windows Security forum

https://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserversecurity

Hi Donna,

According to your description, you want to know the security effectiveness in SSAS. Right?

As you mentioned the SSAS (like other SQL BI feature) is role-based security. And the permissions of roles are assigned to AD users/groups. So the security issue can mostly happen on the user authentication. However, in Analysis Services, it supports Kerberos authentication. It can always keep the credential in a multi-hop environment like intranet. The SSAS is always safe, unless those supported windows authentication was cracked. For more information, please see: Authentication methodologies supported by Analysis Services

Regards,