Analysis Services Configuration - Account Provisioning

SQL Server 2008 R2

Use the Analysis Services Configuration page of the SQL Server Installation Wizard to grant administrative permissions to users or services requiring unrestricted access to Analysis Services.

If you are installing PowerPivot for SharePoint, consider granting administrative permissions to SharePoint farm administrators or service administrators who are responsible for a deployment of SQL Server PowerPivot for SharePoint in a SharePoint 2010 farm.

Note:
In a PowerPivot for SharePoint deployment, a PowerPivot service application requires administrative permissions on the Analysis Services service to support server communication and coordinated functions. Administrative permissions are granted automatically when you create a PowerPivot service application in SharePoint Central Administration. Administrative permissions are also granted by Setup if you are installing PowerPivot for SharePoint using the New Server option. For more information about installation and service account requirements, see How to: Install Analysis Services on a New SharePoint Server.

Considerations for Provisioning SQL Server

Beginning in SQL Server 2005, significant changes were implemented to help ensure that SQL Server was more secure than previous versions. Changes included a "secure by design, secure by default, and secure in deployment" strategy designed to protect the server instance and its databases from security attacks.

SQL Server 2008 continues the security hardening process by introducing more changes to the server and database components. The changes introduced in SQL Server 2008 further decrease the surface and attack areas for the server and its databases by instituting a policy of least privileges and increases separation of Windows administration and SQL Server administration. This means that internal accounts are protected and separated into operating system functions and SQL Server functions. These measures include:

  • New SQL Server 2008 installations no longer add the local Windows Group BUILTIN\Administrators to the Analysis Services sysadmin fixed server role.
  • The ability to provision one or more Windows principals into the sysadmin server role inside SQL Server. This option is available during SQL Server Setup for new installations of SQL Server 2008.
  • The Surface Area Configuration (SAC) tool has been removed, and replaced by policy-based management and changes in the SQL Server Configuration Manager tool.

These changes will affect your security planning for SQL Server, and help you create a more complete security profile for your system.

Considerations for Running SQL Server 2008 on Windows Vista and Windows Server 2008

Windows Vista and Windows Server 2008 include a new feature, User Account Control (UAC), that helps administrators manage their use of elevated permissions. By default, on Windows Vista and Windows Server 2008, administrators do not use their administrative rights. Instead, they perform most actions as standard users, temporarily assuming their administrative rights only when it is necessary. However, instead of elevating privileges, we recommend that you create a Windows user account that has sufficient permissions to perform all necessary administrative tasks.

UAC causes some known issues. For more information, see the following Web pages:

Options

Specify Analysis Services Administrators - You must specify at least one system administrator for the instance of SQL Server.

  • To add the account under which SQL Server Setup is running, click the Add Current User button.
  • To add other users or services, click the Add… button and then enter the Windows domain user accounts for the person or service requiring administrative permissions.
  • To remove accounts from the list of system administrators, click Remove and then edit the list of users, groups, or computers that will have administrator privileges for the instance of SQL Server.

When you are finished editing the list, click OK, then verify the list of administrators in the configuration dialog box. When the list is complete, click Next.

See Also