mds security

8/9/2019 MDS Security

1/14

MDS Security

Andi ComisioneruPrincipal Group Program ManagerMicrosoft Corporation

Microsoft

SQL Server 201


2/14

Agenda

!"o is Secured

!"at is Secured

Logic and t"e #$ective Permissions

Guidelines and %est Practices


3/14


4/14

!"at is MDS Securing&

Microsoft

)ser and

GroupPermission

s

.ersionManagement

+ntegrationManageme

nt

SystemAdministratio

n

#plorer!e-3

#cel4Add+n

Collections

Mem-er 5ype

• Leaf • Consolidate

d• Collections

#ntities

Model

6ierarc"yMem-er

n

6ierarc"yMem-er

2

6ierarc"yMem-er

1

6ierarc"y

Permissions to 7unctions

8ole %ased Permissions

Permissions to Model 9-:ects

Permissions to 6ierarc"yMem-ers

DBA

Mem-ers6ierarc"y

Security

ModelSecurity

;


5/14

Security Provisioning in MDS

Pre-req: users, groups and membership defned in AD

Add users and groups to MDS

Assign access to functions

9ptional Assign access to model components

Assign access to mem-ers

#dit user email pro'le

Microsoft Con'dential <

Access levels


6/14

Manage )sers

Properties

#mail format maintained in MDS

#mail address maintained in MDS if alocal user

Last Login Date updated -y MDS

All ot"er properties in"erited from AD

Microsoft Con'dential =

Mem-ers"ip

+ndicates groups to ,"ic" t"e user-elongs

8ead4only > in"erited from AD

Active Directory MDS


7/14

Manage Groups

Properties

General group information

8ead4only > in"erited from ActiveDirectory

Group types

LocalGroup

ActiveDirectoryGroup

Microsoft Con'dential ?

Mem-ers"ip

+ndicates users associated ,it" selectedgroup

8ead4only > in"erited from AD

Active Directory


8/14

7unction Permissionso 8ole -ased permissions

o

Assign access to one or more functions to a user or group

Microsoft Con'dential @


9/14

Model Permissions

Selected group

Lists all security assignments for t"e selected model

8estrict assignments to amodel

Microsoft Con'dential

Access location of selected securityassignment

o Attri-utes Column -ased permissions


10/14

6ierarc"y Mem-ers Permissionso Assign mem-er security for t"e selected version and

"ierarc"y

o 6ierarc"y 8o, %ased Permissions

Mem-er security assignmentsfor t"e selected group

Mem-ers associated,it" t"e selected"ierarc"y

Microsoft Con'dential 1


11/14

#$ective PermissionsCalculated from

+n"eritance* from a parent model o-:ect or mem-er

Group Association

+ntersection of model and mem-er security

9rder of 9perations

1B 6ierarc"ical in"eritance is applied

• Permissions cascade do,n t"e "ierarc"y unless over,ritten at a lo,er level

2B Security roles are com-ined across t"e users groups and t"e direct userpermissions

• Group1 perms 3 3 Group E perms 3 )ser perms F )sers e$ectivepermissions

(B +ntersect model and "ierarc"y mem-er security

• Model permission and Mem-er permission F Data element permission

. Special cases*

8ead or )pdate cant override a "ig"er level Deny ou cant c"ange ,"at youcant see

Code and Eame cannot -e eplicitly denied

Model Object Inheritance

Group / User Combination

for Model Security

Model / Member Intersection

Hierarchy Member Inheritance

Group / User Combination

for Member Security


12/14

Mem-ers Security

o Assigned permissions are in"erited and cascade do,n t"e "ierarc"y

from t"e closest ancestoro 7or overlapping "ierarc"ies/ t"e most restrictive permission ,insH

order of succession is as follo,s*

1B Deny

2B 8ead4only

(B )pdate;B )nspeci'ed

o 7or overlapping groups permissions/ t"e least restrictive permission,ins

. #amples

1B )pdateGroup1 3 8eadGroup2 F )pdate)sers #$ective2B DenyGroup1 3 )pdateGroup2 F Deny)sers #$ective

(B )pdateGroup1 3 8eadGroup2 3 Deny)ser F Deny)sers #$ective

Microsoft Con'dential 1


13/14

Guidelines I 8ecommended Practiceso Jeep it simple

o 9utline t"e multiple roles and responsi-ilities to drive security

reKo Derive reK for function/ model and mem-er security

o )se Mem-er security sensi-ly single "ierarc"y recommended

o Jeep it Minimal

o

Security function is typically reserved for a single systemadministrator

o 5ypical end4user ,ill -e granted permission to t"e #plorerfunction only

o Jeep +t Generic

o Assign permissions to group security rat"er t"an users

o )ser roles c"ange over time

o #asier to manage t"roug" lifecycle layer of indirection

o Al,ays revie, t"e resultant e$ective permissions

Microsoft Con'dential 1(


14/14

2011 Microsoft CorporationB All rig"ts reservedB Microsoft/ !indo,s/ !indo,s .ista and ot"er product names are or may -e registered trademars andIor trademars in t"e )BSBandIor ot"er countriesB

5"e information "erein is for informational purposes only and represents t"e current vie, of Microsoft Corporation as of t"e date of t"is presentationB %ecause Microsoft must respondto c"anging maret conditions/ it s"ould not -e interpreted to -e a commitment on t"e part of Microsoft/ and Microsoft cannot guarantee t"e accuracy of any information provided aftert"e date of t"is presentationB

M+C89S975 MAJ#S E9 !A88AE5+#S/ #NP8#SS/ +MPL+#D 98 S5A5)598/ AS 59 56# +E798MA5+9E +E 56+S P8#S#E5A5+9EB

mds security

Documents