Minimal security settings for a Analysis Services service account

As an add-on to my previous post about adding Analysis Services to an existing SQL cluster, I thought it might also be helpful to list the various security settings which need to be set to allow SSAS to not only run but accept connections.  Again, in a dev environment, if your "service account" is an administrator account, you'll have no issues, but in a production environment if your serivce account does not have these additional rights, while the service will start up, you will not be able to actually use Analysis Services.

User Rights Assignment

After SSAS has been installed, the following security must be set to allow the chosen service account to run. 

Local Security Policy Assignment

· Open the local security policy MMC (from the Run or Command prompt type gpedit.msc)

· Navigate to Local Computer Policy->Computer Configuration->Windows Settings->Security Settings->Local Policies->User Rights Assignment

· Grant access to the SSAS service account for the following policies:

o Bypass traverse checking

o Token object creation (Create a token object)

o Security audit generation (Generate security audits)

o Locking of pages in memory (Lock pages in memory)

o Replacement of a process level token (Replace a process level token)

o Log on as a batch job

· Close the security policy MMC

File Security Assignment

· Open Windows Explorer

· Navigate to %PROGRAMFILES%\Microsoft SQL Server\MSSQL.3\OLAP (where %PROGRAMFILES% is the Program Files folder where SSAS was installed).

· Right click the OLAP folder and select “Properties”

· Select the security tab

· Grant Modify permissions to the SSAS service account

· Grant Read (Read and Execute, List Folder Contents, and Read) permissions to Network Service

· Click Apply and OK

After all security settings are applied, restart the SSAS service.