Application Security for Monitoring Server

  • Article

Monitoring Server has several roles that define the permissions to administer or create dashboard elements. Active Directory users and groups are assigned to these roles using the Dashboard Builder. In addition to the basic roles on the system users and groups are assigned to the individual elements on the server as either an editor or reader. These dashboard elements include items such as reports, scorecards and the definition of the dashboard itself. For each organization the needs for securing the monitoring server instance might differ. For example in some organizations, one or several people may do all of the tasks. In larger organizations, different people may administer the system, whereas others create libraries for reports or key performance indicators (KPIs), and a third group designs and builds scorecards. The role security model is intended to be flexible enough to meet individual needs and understanding how the roles function is critical to securing the application.

Monitoring Server application roles

Application roles apply to the whole Dashboard Designer installation and grant system-wide access to data and tasks. There are four types of server roles:

-Admin. This role provides complete control over Monitoring Server and access to all elements in the system. A member of the Admin role can create, edit, and delete all dashboard elements and also publish to the server. Administrators on the Monitoring server machine have full access to the dashboard builder. The dashboard builder is also used to grant element role and server role security to other users. The administrator group on the computer that hosts the Monitoring Server is automatically added to this role and cannot be removed.

-Creator. This role enables users to create reports, key performance indicators (KPIs), scorecards, and other indicators. Users who have the Creator role can publish dashboard elements to the Monitoring Server. A Creator can also delete elements if he or she has Editor permissions on the element. After an element has been created the identity of the creator is automatically added to the elements editor role.

-Data Source Manager. This role enables users to create and delete data sources. Users who have permissions for the Data Source Manager role can also publish data sources to Monitoring Server.

-Power Reader. This role grants read-only access to all dashboard elements on the Monitoring Server. This role is intended for use by service accounts or backend services that need complete access to the system. For example our engine running under notification services must be granted this role for alerts to work.

 

 

Monitoring Server element roles

Monitoring Server Web Services are organized into dashboard elements that include key performance indicators (KPIs), scorecards, reports, data sources, and other indicators. Dashboard elements are combined with filters which are then presented to users on a Windows SharePoint Services-based or Windows SharePoint Portal Server-based Web page.

Dashboard element roles grant access to data and tasks. Permissions to access these elements are assigned on a per-element basis. Therefore, roles are specific to each KPI, scorecard, report, data source, and other indicators. There are two types of element roles:

-Editor. This role enables users to modify all data related to the KPI, data source, report, or scorecard to which the permissions apply. When a user who has permissions to the Monitoring Server Administrator, Dashboard User, or Data Source Manager role creates an element, that user is automatically added to the Editor role.

-Reader. This role grants read-only access to a specific dashboard element. It enables users to view the elements of a Dashboard in the Designer.

Recommendations for role configuration

Assigning the users and groups to roles in Monitoring Server by using the existing organization structure is usually a good way to get started. First decide on who will administer the server. These people should be trusted with all of the business data the application will use and will be responsible for configuration of the rest of the application. Next the administrators of the system will need to define a set of data source managers. These individuals might not be trusted to assign additional rights for users in the application but should be trusted with the available business data. The administrators should then define the set of creators in the system. They will be responsible for creating content based on the set of data that has been made available to them by the data source managers and administrators. The members of the creator role will be responsible for defining who can see the content that they have published by using element roles.

Exceptions to the basic role definitions

For the most part a user will be limited to the set of data that a creator or administrator wants them to see. One important exception to this is the use of navigation on Analytic reports generated against Analysis Services. Some of the more complex navigation options allow readers of the report to see data that might not have been intended to be visible by the individual creator the content. Make sure that you have secured your data directly in AS rather than trying to use the application security available in Monitoring Server.

 

Josh Zimmerman (joshz@microsoft.com)