This tutorial explains how to manage authentication and data access when working with SQL Server Analysis Services using Flexmonster Accelerator. We support three different approaches:
In SQL Server Analysis Services, access rights are provided based on roles. For more information about role configuration, visit Microsoft documentation on roles and permissions.
After roles are configured in Analysis Services, you can specify them in the dataSource.roles property when connecting Flexmonster Pivot to SSAS:
dataSource: {
type: "microsoft analysis services",
// A flag to use the Accelerator instead of XMLA
binary: true,
// URL to Flexmonster Accelerator
proxyUrl: "https://olap.flexmonster.com:8085/FlexmonsterProxy/",
catalog: "Adventure Works DW Standard Edition",
cube: "Adventure Works",
// Roles from SSAS
// To add multiple roles, separate them with a comma
roles: "Sales Manager US"
}Prerequisites:
Configuring Windows authentication depends on how the Accelerator is used in your project: as a Windows Service or as a DLL.
Step 1.1. Go to Flexmonster Accelerator Manager and select the Config button. The flexmonster.config file will be opened.
Step 1.2. In flexmonster.config, set the WINDOWS_AUTH property to true:
WINDOWS_AUTH=true
When the authentication is enabled, the Access-Control-Allow-Origin header must list particular origins. Origin is a domain that sends requests to Flexmonster Accelerator (e.g., http://localhost:8080 or https://example.com).
To allow an origin to send requests to the Accelerator, specify the origin in the ALLOW_ORIGIN property in the flexmonster.config file:
ALLOW_ORIGIN=http://localhost:8080
Several origins can be defined as follows:
ALLOW_ORIGIN=http://localhost:8080, https://example.com
To apply new configs, restart the Accelerator using Flexmonster Accelerator Manager: select the Stop button and then select Start.
You can check if the Accelerator is up and running by navigating to its URL in the browser (http://localhost:50005 by default).
Windows authentication must be enabled on the client side as well. To enable the authentication in Flexmonster, set the dataSource.withCredentials property to true:
const pivot = new Flexmonster({
container: "pivotContainer",
toolbar: true,
report: {
dataSource: {
type: "microsoft analysis services",
binary: true,
proxyUrl: "http://localhost:50005",
catalog: "Adventure Works DW Standard Edition",
cube: "Adventure Works",
withCredentials: true
}
}
});Flexmonster Accelerator will automatically use your current Windows user to perform impersonated requests to Microsoft Analysis Services.
If the page with Flexmonster Pivot is opened in the Incognito browser window, the pop-up window prompting you to enter your login and password should appear. After you log in with your Windows user credentials, Flexmonster Accelerator should successfully connect to SSAS.
Note To protect your data further, enable HTTPS connection for Flexmonster Accelerator.
This guide contains the following sections:
To illustrate how Windows authentication can be configured when the Accelerator is used as a DLL, we added the windows-authentication branch to our sample Accelerator DLL project.
To run the sample project, complete these steps:
Step 1. To get our sample project, download it as ZIP or clone it with the following command:
git clone -b windows-authentication https://github.com/flexmonster/pivot-accelerator-dll
Step 2. Open the sample project in Visual Studio using the Flexmonster Accelerator MVC.sln solution file.
Step 3. Open the FlexmonsterConfig.cs file and specify your data source (e.g., localhost):
public static void Register()
{
Flexmonster.Accelerator.Controllers.FlexmonsterProxyController
.ConnectionString = "Data Source=<your data source>";
// Other configurations
}
Step 4. Open the Index.cshtml view and set your values for the catalog and cube properties:
dataSource: {
dataSourceType: "microsoft analysis services",
proxyUrl: "/api/accelerator/",
catalog: "<your catalog>",
cube: "<your cube>",
binary: true,
withCredentials: true
}Step 5. Find and open the pivot-accelerator-dll/.vs/Flexmonster Accelerator MVC/config/applicationhost.config file.
Note The .vs/ folder appears after opening the project in Visual Studio and is hidden by default. See the Microsoft documentation for guidance on displaying hidden folders.
Step 6. In applicationhost.config, find the <section> element with the anonymousAuthentication name and set the overrideModeDefault attribute to Allow. Then, do the same for the element with the windowsAuthentication name:
<sectionGroup name="security">
// ...
<sectionGroup name="authentication">
<section name="anonymousAuthentication" overrideModeDefault="Allow" />
<section name="windowsAuthentication" overrideModeDefault="Allow" />
// ...
</sectionGroup>
// ...
</sectionGroup>
Step 7. Run the sample project by selecting the IIS Express button on the toolbar:
To see the result, open http://localhost:55158/ in your browser. Flexmonster Accelerator will automatically use your current Windows user to perform impersonated requests to Microsoft Analysis Services.
Now let’s see which configurations you should set to enable Windows authentication in your project:
Step 1. In the file where the Accelerator is configured, enable authentication on the Accelerator's side:
Flexmonster.Accelerator.Controllers.FlexmonsterProxyController.ConnectionString = "Data Source=localhost";
Flexmonster.Accelerator.Controllers.FlexmonsterProxyController
.AuthEnabled = true;
Flexmonster.Accelerator.Controllers.FlexmonsterProxyController
.Impersonator = new WindowsImpersonatorFactory();
// Other configurations
In our sample project, these configurations are set in the FlexmonsterConfig.cs file.
Step 2. In the Web.config file, specify the <security> element to define authentication configurations for the server:
<system.webServer>
<!-- Other tags -->
<security>
<authentication>
<anonymousAuthentication enabled="true" />
<windowsAuthentication enabled="true" />
</authentication>
<authorization>
<remove users="*" roles="" verbs=""/>
<add accessType="Allow" users="?" verbs="OPTIONS"/>
<add accessType="Deny" users="?" verbs="GET,PUT,POST,DELETE"/>
<add accessType="Allow" roles="Users" />
</authorization>
</security>
<!-- Other tags -->
</system.webServer>
See how this configuration is set in our sample project.
Learn more about the <security> element in the Microsoft documentation.
Step 3. In your IIS configurations, find and open the applicationhost.config file. Then, find the <section> element with the anonymousAuthentication name and set the overrideModeDefault attribute to Allow. Do the same for the element with the windowsAuthentication name:
<sectionGroup name="security">
// ...
<sectionGroup name="authentication">
<section name="anonymousAuthentication" overrideModeDefault="Allow" />
<section name="windowsAuthentication" overrideModeDefault="Allow" />
// ...
</sectionGroup>
// ...
</sectionGroup>
Step 4. Set the dataSource.withCredentials property to true in your .cshtml page with Flexmonster (e.g., Index.cshtml):
dataSource: {
type: "microsoft analysis services",
binary: true,
proxyUrl: "/api/accelerator/",
catalog: "Your Catalog",
cube: "Your Cube",
withCredentials: true
},Check out our sample project to see how withCredentials is specified.
Windows authentication is now used in your project with the Accelerator as a DLL.
If you already have an ASP.NET portal that handles users and an authorization process, the most convenient option is to embed the Accelerator into that system. For this purpose, we recommend referencing the Accelerator as a DLL and integrating a Web API endpoint. Endpoint access is fully controlled by the ASP.NET portal, so you will be able to manage security in any way you want. The overall process is shown on the diagram:
