mds security
TRANSCRIPT
-
8/9/2019 MDS Security
1/14
MDS Security
Andi ComisioneruPrincipal Group Program ManagerMicrosoft Corporation
Microsoft
SQL Server 201
-
8/9/2019 MDS Security
2/14
Agenda
!"o is Secured
!"at is Secured
Logic and t"e #$ective Permissions
Guidelines and %est Practices
-
8/9/2019 MDS Security
3/14
-
8/9/2019 MDS Security
4/14
!"at is MDS Securing&
Microsoft
)ser and
GroupPermission
s
.ersionManagement
+ntegrationManageme
nt
SystemAdministratio
n
#plorer!e-3
#cel4Add+n
Collections
Mem-er 5ype
• Leaf • Consolidate
d• Collections
#ntities
Model
6ierarc"yMem-er
n
6ierarc"yMem-er
2
6ierarc"yMem-er
1
6ierarc"y
Permissions to 7unctions
8ole %ased Permissions
Permissions to Model 9-:ects
Permissions to 6ierarc"yMem-ers
DBA
Mem-ers6ierarc"y
Security
ModelSecurity
;
-
8/9/2019 MDS Security
5/14
Security Provisioning in MDS
Pre-req: users, groups and membership defned in AD
Add users and groups to MDS
Assign access to functions
9ptional Assign access to model components
Assign access to mem-ers
#dit user email pro'le
Microsoft Con'dential <
Access levels
-
8/9/2019 MDS Security
6/14
Manage )sers
Properties
#mail format maintained in MDS
#mail address maintained in MDS if alocal user
Last Login Date updated -y MDS
All ot"er properties in"erited from AD
Microsoft Con'dential =
Mem-ers"ip
+ndicates groups to ,"ic" t"e user-elongs
8ead4only > in"erited from AD
Active Directory MDS
-
8/9/2019 MDS Security
7/14
Manage Groups
Properties
General group information
8ead4only > in"erited from ActiveDirectory
Group types
LocalGroup
ActiveDirectoryGroup
Microsoft Con'dential ?
Mem-ers"ip
+ndicates users associated ,it" selectedgroup
8ead4only > in"erited from AD
Active Directory
-
8/9/2019 MDS Security
8/14
7unction Permissionso 8ole -ased permissions
o
Assign access to one or more functions to a user or group
Microsoft Con'dential @
-
8/9/2019 MDS Security
9/14
Model Permissions
Selected group
Lists all security assignments for t"e selected model
8estrict assignments to amodel
Microsoft Con'dential
Access location of selected securityassignment
o Attri-utes Column -ased permissions
-
8/9/2019 MDS Security
10/14
6ierarc"y Mem-ers Permissionso Assign mem-er security for t"e selected version and
"ierarc"y
o 6ierarc"y 8o, %ased Permissions
Mem-er security assignmentsfor t"e selected group
Mem-ers associated,it" t"e selected"ierarc"y
Microsoft Con'dential 1
-
8/9/2019 MDS Security
11/14
#$ective PermissionsCalculated from
+n"eritance* from a parent model o-:ect or mem-er
Group Association
+ntersection of model and mem-er security
9rder of 9perations
1B 6ierarc"ical in"eritance is applied
• Permissions cascade do,n t"e "ierarc"y unless over,ritten at a lo,er level
2B Security roles are com-ined across t"e users groups and t"e direct userpermissions
• Group1 perms 3 3 Group E perms 3 )ser perms F )sers e$ectivepermissions
(B +ntersect model and "ierarc"y mem-er security
• Model permission and Mem-er permission F Data element permission
. Special cases*
8ead or )pdate cant override a "ig"er level Deny ou cant c"ange ,"at youcant see
Code and Eame cannot -e eplicitly denied
Model Object Inheritance
Group / User Combination
for Model Security
Model / Member Intersection
Hierarchy Member Inheritance
Group / User Combination
for Member Security
-
8/9/2019 MDS Security
12/14
Mem-ers Security
o Assigned permissions are in"erited and cascade do,n t"e "ierarc"y
from t"e closest ancestoro 7or overlapping "ierarc"ies/ t"e most restrictive permission ,insH
order of succession is as follo,s*
1B Deny
2B 8ead4only
(B )pdate;B )nspeci'ed
o 7or overlapping groups permissions/ t"e least restrictive permission,ins
. #amples
1B )pdateGroup1 3 8eadGroup2 F )pdate)sers #$ective2B DenyGroup1 3 )pdateGroup2 F Deny)sers #$ective
(B )pdateGroup1 3 8eadGroup2 3 Deny)ser F Deny)sers #$ective
Microsoft Con'dential 1
-
8/9/2019 MDS Security
13/14
Guidelines I 8ecommended Practiceso Jeep it simple
o 9utline t"e multiple roles and responsi-ilities to drive security
reKo Derive reK for function/ model and mem-er security
o )se Mem-er security sensi-ly single "ierarc"y recommended
o Jeep it Minimal
o
Security function is typically reserved for a single systemadministrator
o 5ypical end4user ,ill -e granted permission to t"e #plorerfunction only
o Jeep +t Generic
o Assign permissions to group security rat"er t"an users
o )ser roles c"ange over time
o #asier to manage t"roug" lifecycle layer of indirection
o Al,ays revie, t"e resultant e$ective permissions
Microsoft Con'dential 1(
-
8/9/2019 MDS Security
14/14
2011 Microsoft CorporationB All rig"ts reservedB Microsoft/ !indo,s/ !indo,s .ista and ot"er product names are or may -e registered trademars andIor trademars in t"e )BSBandIor ot"er countriesB
5"e information "erein is for informational purposes only and represents t"e current vie, of Microsoft Corporation as of t"e date of t"is presentationB %ecause Microsoft must respondto c"anging maret conditions/ it s"ould not -e interpreted to -e a commitment on t"e part of Microsoft/ and Microsoft cannot guarantee t"e accuracy of any information provided aftert"e date of t"is presentationB
M+C89S975 MAJ#S E9 !A88AE5+#S/ #NP8#SS/ +MPL+#D 98 S5A5)598/ AS 59 56# +E798MA5+9E +E 56+S P8#S#E5A5+9EB