Application roles apply to the whole Dashboard Designer installation and grant system-wide access to data and tasks. There are four types of server roles:
-Admin. This role provides complete control over Monitoring Server and access to all elements in the system. A member of the Admin role can create, edit, and delete all dashboard elements and also publish to the server. Administrators on the Monitoring server machine have full access to the dashboard builder. The dashboard builder is also used to grant element role and server role security to other users. The administrator group on the computer that hosts the Monitoring Server is automatically added to this role and cannot be removed.
-Creator. This role enables users to create reports, key performance indicators (KPIs), scorecards, and other indicators. Users who have the Creator role can publish dashboard elements to the Monitoring Server. A Creator can also delete elements if he or she has Editor permissions on the element. After an element has been created the identity of the creator is automatically added to the elements editor role.
-Data Source Manager. This role enables users to create and delete data sources. Users who have permissions for the Data Source Manager role can also publish data sources to Monitoring Server.
-Power Reader. This role grants read-only access to all dashboard elements on the Monitoring Server. This role is intended for use by service accounts or backend services that need complete access to the system. For example our engine running under notification services must be granted this role for alerts to work.
Monitoring Server Web Services are organized into dashboard elements that include key performance indicators (KPIs), scorecards, reports, data sources, and other indicators. Dashboard elements are combined with filters which are then presented to users on a Windows SharePoint Services-based or Windows SharePoint Portal Server-based Web page.
Dashboard element roles grant access to data and tasks. Permissions to access these elements are assigned on a per-element basis. Therefore, roles are specific to each KPI, scorecard, report, data source, and other indicators. There are two types of element roles:
-Editor. This role enables users to modify all data related to the KPI, data source, report, or scorecard to which the permissions apply. When a user who has permissions to the Monitoring Server Administrator, Dashboard User, or Data Source Manager role creates an element, that user is automatically added to the Editor role.
-Reader. This role grants read-only access to a specific dashboard element. It enables users to view the elements of a Dashboard in the Designer.
Assigning the users and groups to roles in Monitoring Server by using the existing organization structure is usually a good way to get started. First decide on who will administer the server. These people should be trusted with all of the business data the application will use and will be responsible for configuration of the rest of the application. Next the administrators of the system will need to define a set of data source managers. These individuals might not be trusted to assign additional rights for users in the application but should be trusted with the available business data. The administrators should then define the set of creators in the system. They will be responsible for creating content based on the set of data that has been made available to them by the data source managers and administrators. The members of the creator role will be responsible for defining who can see the content that they have published by using element roles.
For the most part a user will be limited to the set of data that a creator or administrator wants them to see. One important exception to this is the use of navigation on Analytic reports generated against Analysis Services. Some of the more complex navigation options allow readers of the report to see data that might not have been intended to be visible by the individual creator the content. Make sure that you have secured your data directly in AS rather than trying to use the application security available in Monitoring Server.
Josh Zimmerman (email@example.com)