This tutorial explains how to manage the authentication process when working with SQL Server Analysis Services (SSAS) using Flexmonster Accelerator. We support three different approaches:
In SQL Server Analysis Services, access rights are provided based on roles. More information about role configuration can be found in this tutorial from Microsoft.
After roles are configured in Analysis Services, they can be specified in Flexmonster reports by using the roles property. The following sample demonstrates how to specify roles:
dataSource: {
type: "microsoft analysis services",
/* URL to Flexmonster Accelerator */
proxyUrl: "https://olap.flexmonster.com:8085/FlexmonsterProxy/",
catalog: "Adventure Works DW Standard Edition",
cube: "Adventure Works",
/* A flag to use the Accelerator
instead of XMLA protocol binary */
binary: true,
/* roles from SSAS, you can add multiple
roles separated by comma */
roles: "Sales Manager US"
}
To configure Windows authentication for your type of the Accelerator, do the following:
Windows authentication on the server side can be enabled in the flexmonster.config file. To open this file, go to Flexmonster Accelerator Manager and click the Config button.
In flexmonster.config, set the WINDOWS_AUTH property to true to enable the authentication:
WINDOWS_AUTH=true
When enabled, the authentication requires certain origins to be defined in the Access-Control-Allow-Origin header. Origin is a domain that sends requests to Flexmonster Accelerator (e.g., http://localhost:8080 or https://example.com). To allow the origin to send requests to the Accelerator, specify the ALLOW_ORIGIN property in the flexmonster.config file:
ALLOW_ORIGIN=http://localhost:8080
Several origins can be defined as follows:
ALLOW_ORIGIN=http://localhost:8080, https://example.com
To apply new configs, restart the Accelerator using Flexmonster Accelerator Manager: click the Stop button and then click Start.
Windows authentication should be allowed on the client side as well. To enable the authentication on the client, set the withCredentials property of the DataSourceObject to true:
var pivot = new Flexmonster({
container: "pivotContainer",
componentFolder: "node_modules/flexmonster/",
toolbar: true,
report: {
dataSource: {
type: "microsoft analysis services",
proxyUrl: "http://localhost:50005",
catalog: "Adventure Works DW Standard Edition",
cube: "Adventure Works",
binary: true,
withCredentials: true
}
}
});
To apply the configurations, restart Flexmonster Accelerator. You can check if the Accelerator is up and running by navigating to its URL in the browser (http://localhost:50005 by default).
Flexmonster Accelerator will automatically use your current Windows user to perform impersonated requests to Microsoft Analysis Services.
If the page with Flexmonster Pivot is opened in the Incognito browser window, the pop-up window prompting to enter your login and password should appear. After you log in with your Windows user credentials, Flexmonster Accelerator should successfully connect to the data source.
Note To protect your data further, enable HTTPS connection for Flexmonster Accelerator.
This guide contains the following sections:
To illustrate how Windows authentication can be configured in an Accelerator DLL project, we added the windows-authentication branch to our sample GitHub application.
To run the sample project, complete these steps:
Step 1. To get our sample project, download it as ZIP or clone it with the following command:
git clone -b windows-authentication https://github.com/flexmonster/pivot-accelerator-dll
Step 2. Open the sample project in Visual Studio using the Flexmonster Accelerator MVC.sln solution file.
Step 3. Update the NuGet packages if needed:
Manage NuGet Packages in the context menu.Updates tab and check the Select all packages checkbox.Update button.Step 4. Open the FlexmonsterConfig.cs file and specify your data source (e.g., localhost):
public static void Register()
{
Flexmonster.Accelerator.Controllers.FlexmonsterProxyController
.ConnectionString = "Data Source=yourDataSource";
// Other configurations
}
Step 5. Now go to the Index.cshtml view and set your values for the catalog and cube properties:
dataSource: {
dataSourceType: "microsoft analysis services",
proxyUrl: "/api/accelerator/",
catalog: "Your Catalog",
cube: "Your Cube",
binary: true,
withCredentials: true
}
Step 6. Run the sample project by clicking the IIS Express button on the toolbar:
To see the result, open http://localhost:55158/ in your browser. Flexmonster Accelerator will automatically use your current Windows user to perform impersonated requests to Microsoft Analysis Services.
Now let’s see which configurations you should set to enable Windows authentication in your project:
Step 1. Enable authentication on the Accelerator's side in the FlexmonsterConfig.cs file:
public static void Register()
{
// Other configurations
Flexmonster.Accelerator.Controllers.FlexmonsterProxyController
.AuthEnabled = true;
Flexmonster.Accelerator.Controllers.FlexmonsterProxyController
.Impersonator = new WindowsImpersonatorFactory();
// Other configurations
}
Step 2. In the Web.config file, specify the <security> element to define authentication configurations for the server:
<system.webServer> <!-- Other tags --> <security> <authentication> <anonymousAuthentication enabled="true" /> <windowsAuthentication enabled="true" /> </authentication> <authorization> <remove users="*" roles="" verbs=""/> <add accessType="Allow" users="?" verbs="OPTIONS"/> <add accessType="Deny" users="?" verbs="GET,PUT,POST,DELETE"/> <add accessType="Allow" roles="Users" /> </authorization> </security> <!-- Other tags --> </system.webServer>
Learn more about the <security> element in the Microsoft documentation.
Step 3. In the pivot-accelerator-dll/.vs/Flexmonster Accelerator MVC/config/applicationhost.config file, find the anonymousAuthentication element and set its enabled attribute to true. Then do the same for the windowsAuthentication element:
<authentication> <anonymousAuthentication enabled="true" userName="" /> <!-- Other configs --> <windowsAuthentication enabled="true"> <!-- Other configs --> </windowsAuthentication> </authentication>
Note that the .vs/ folder appears after opening the project in Visual Studio, and it is hidden by default. See the Microsoft documentation for guidance on displaying hidden folders.
Step 4. Set the dataSource.withCredentials property to true in your .cshtml page (e.g., Index.cshtml):
dataSource: {
dataSourceType: "microsoft analysis services",
proxyUrl: "/api/accelerator/",
catalog: "Your Catalog",
cube: "Your Cube",
binary: true,
withCredentials: true
},
Now you can use Windows authentication in your Accelerator DLL project.
If you already have an ASP.NET portal that handles users and an authorization process, the most convenient option is to embed the Accelerator into that system. For this purpose, we recommend referencing the Accelerator as a DLL and integrating a Web API endpoint. Endpoint access is fully controlled by the ASP.NET portal so you can manage security in any way you want. The overall process is described in the diagram below. For more details regarding referencing the Accelerator as a DLL please read our tutorial.
You may be interested in the following articles: