Securing PerformancePoint Content in SharePoint

All PerformancePoint content is stored in SharePoint, which makes it easy for employees to share and re-use that content. But what about content that you want to restrict? This article will give you instructions for locking down PerformancePoint content in SharePoint.

Note: Data-level security, which allows you to limit the data that users can access through analysis of published reports, is outside the scope of this blog.

The Prerequisites

Before we get into the different security settings, let’s make sure that all our ducks are in a row. First of all, you will need to be a site collection administrator to enable the site collection features. If you are not one, then you will need to contact one and ask them to make some of these prerequisite changes for you. Your SharePoint administrator can tell you who your site collection administrators are.

Next, you need your PerformancePoint-enabled lists and document libraries to be available to the Dashboard Designer. If they aren’t, you won’t be able to save content to those locations. If you’re using the Business Intelligence Center site template, you will already have a data connection library called Data Connections and a content list called PerformancePoint Content and should be good to go. If you aren’t, or if you want to use a site template other than the BI Center template, you need to make sure the proper features are active. Enabling these features will allow you to select PerformancePoint-specific list and library templates from the Create menu under Site Settings when creating a new list or library specifically for BI. To do this, go to the home page for your site and, from the Site Actions link in the upper-left corner, select the link at the bottom, Site Settings.

Permissions1

In the Site Collection Administration section, select Site collection features and make sure that SharePoint Server Publishing Infrastructure and PerformancePoint Services Site Collection Features are both active and enabled in that order. In the Site Actions section, select Manage site features and make sure that PerformancePoint Services Site Features is active.

Next we need to set up data connection libraries and content lists. Data connection libraries (also called data source libraries) contain files called data sources that give PerformancePoint objects access to the data it needs to consume. Content lists, which are really just SharePoint lists with the appropriate content types, contain all other PerformancePoint content such as reports, scorecards, and dashboards.

If you need or want to create new libraries or lists, click the All Site Content link on the site home page and then click Create.

Permissions2

To create a data connections library, go to the Libraries section and click DataConnections Library for PerformancePoint. To create a new content list, go to the Custom Lists section and click PerformancePoint Content List. In either case, all you need to do is provide a name and then click Create. The great thing about these list and library templates is that they include the proper content types that make them visible to the Dashboard Designer.

Assigning Permissions in Lists and Libraries

When the Dashboard Designer needs to connect to SharePoint, it uses the Windows identity of the current user. Therefore, either that user or a group that that user belongs to needs to have the appropriate level of permissions in SharePoint for anything they need to access or save back to SharePoint.

In order to assign those permissions on the site home page, open the Site Actions menu and click on Site Permissions.

Permissions3

Click on the Grant Permissions button to assign permissions to the entire site for a specific Windows user or group. From this new dialog, add the users or groups to assign permissions to. Then you can either add them to an existing SharePoint group with preset permissions or individually specify the permissions yourself.

For users that only need to add, edit, or delete content in Dashboard Designer, adding them to the BI Members group (or directly giving them the equivalent of Contributor permissions) is sufficient. Users that need to be able to deploy dashboards to SharePoint will need to be added to the Designers group (or directly given the equivalent of Designer permissions).

Say for instance that you have a user who needs Read permissions on a deployed dashboard but you do not want them to be able view data source connection strings, which would normally be shown for these users. This is fairly common because these connection strings can contain credentials in plaintext, which you will likely want very few people to have access to. You can do this by setting up customized permission levels. Click on Permission Levels from the Site Permissions page and then click on the Read permission level. Once the Read details come up, click on Copy Permission Levels. Give the new permission level a name and then scroll down to the bottom and unselect the Open Items permissions in the List Permissions section, which is the specific permission PerformancePoint looks for when determining whether to show connection strings. Click Create after you’re done. If you want to start with an empty permission set, you can just click on Add a Permission Level from the Permission Levels screen. Your new permission level will show up in the Grant Permissions dialog.

What would you do if you have a user that wants to be able to save drafts of content in a private area that only they have access to? Fortunately, it is easy to apply permissions for specific lists and libraries. You can even apply permissions to individual items within lists or libraries if, for instance, you have a data source that only certain people should use because it accesses sensitive information. Open a data connection library or content list in SharePoint. Bring up the Library toolbar for data connection libraries or the List toolbar for content lists. Click on the List Permissions icon.

Permissions4

Click on Stop Inheriting Permissions for the list or library and then assign permissions as before.

To apply permissions to a single item, bring down the dropdown menu for a single item and click Manage Permissions (or you can click on the item directly and click Manage Permissions in the new dialog). From here, click on Stop Inheriting Permissions for the item and then assign permissions as before.

Note: While it is possible to apply permissions to individual scorecards, it is NOT possible to apply permissions to individual annotations within a scorecard. These can only inherit the permissions of the scorecard they are attached to.

The Unattended Service Account

The Unattended Service Account (USA) is used by default in PerformancePoint data sources to connect to external data sources such as Analysis Services. It is a property associated with a PerformancePoint service application, so many users may use the USA concurrently if they are all using data sources that use the USA. You can set or change the USA by going to the Application Management section in Central Administration and selecting Manage Service Applications, clicking on any service application of type PerformancePoint Service Application, and then selecting PerformancePoint Service Application Settings.

Permissions5

The USA should be associated with an account that has been created specifically for this role. It should not be an existing user account. And since it connects to your back-end data, it is important to restrict the rights of the USA as much as you can get away with. While it does need to able to read data from these data sources and execute queries against them, it should never have permission to create, edit, or delete content. There are no PerformancePoint features that require these permissions and granting them exposes your back-end data to unnecessary risk.

Trusted Locations

PerformancePoint uses SharePoint trusted locations to determine which objects it trusts to execute queries against back-end data sources like SQL Server. So if you want to be able to render and do ad-hoc analysis on an Analytic Chart report, both the chart object and its data source object must be located within trusted locations.

By default, PerformancePoint trusts all locations and lists in SharePoint. However, you can change this so that only individual libraries or lists are trusted by PerformancePoint.

Bring up the Central Administration page for SharePoint and in the Application Management section, click on Manage service applications. Then click on any service application whose type is PerformancePoint Service Application. From here, you can click on Trusted Data Source Locations or Trusted Content Locations to manage trusted locations associated with the current service application. Switch to Only specific locations to tell SharePoint to only trust the locations you specify. Then click on Add Trusted Data Source Location or Add Trusted Content Location.

Permissions6

If you only want to trust a single data connection library or content list, copy the URL for that library or list into the Address field. If you want to trust all data connection libraries or content lists within a given site or site collection, copy the URL for the site or site collection into the Address field and make sure the Location Type is correct. Click on the button to the right of the Address field to validate the URL. If done correctly, you should be able to select the proper location type for the trusted location. Click OK and you’re done. All content in this library or list will now be considered to be trusted by SharePoint.

We’ve only scratched the surface of security in PerformancePoint and SharePoint, but I hope that this introduction has given you the basic knowledge you need to ensure that your data gets to the people who need it, and ONLY those people. In the future, we will go beneath the surface and go into a more detailed discussion of some specific security topics.

Ray Saxe
Microsoft SDE