RadarCube CONTAINS NO nested resources for restricting user's access to the Microsoft Analysis 2005 Cube data, since the task has been already solved by the developers of that OLAP-server. The main question here is how to enable the MSAS-nested access rights mechanism (based on user authentication in the Windows domain) by saving a feature to view the Cube contents from Internet.
Remember the general security principle in MS Analysis 2005: some roles, for which the certain access rights to the Cube data are handed out, are created for each Cube. Then, the Windows domain users are assigned the roles created in MS AS. Thus, to use a nested mechanism of MSAS security, you should, at least, get an authentication for the Internet user in the Windows domain.
You can force the ASP.NET application to run with the rights of a certain user by the IIS authentication, or by setting the <authentication> element of the Web.config file of the ASP.NET application.
But our main aim is creating a web-application where each of Internet-user could view the MS AS Cube data by using an independent kit of access rights.
So, for that you need to create enough MS AS roles, domain user accounts, and in some way, to tune a web-application settings. This can be done by using either a Basic-authentication of IIS, or the ASP.NET Forms Authentication Provider.
Connection to the MS Analysis server using the basic authentication
Place a web page with the RadarCube component in a catalog of a web-site (for example "Samples"), and then open the properties window of this folder in the "Computer management" window (for that, right-click the "My Computer" icon and then choose the "Manage" item in the menu).
Then right-click a folder containing a web-page with the RadarCube component, and choose the "Properties" item. In a dialog box, pass on to the "Directory Security" tab and press the "Edit" button selected with red.
In a dialog box "Authentication Methods", uncheck the "Enable anonymous access" and the "Integrated Windows authentication" checkboxes and tick off the "Basic authentication" checkbox.
Then, by pressing "Ok" button, save the changes you've made. That's all.
When you open a page in a protected folder, the web-browser will ask you to enter the name and the password of a domain user whose rights will be used for completing the code of the specified web page. Thus, all MDX-commands accomplished by RadarCube will be fulfilled under the rights of a user who passed authorization and who, in his turn, has or doesn't have certain rights as a MS AS user.
Connection to the MS AS server using the ASP.NET Forms authentication
For this, enable anonymous access in IIS and configure your Web application's web.config file to use Forms Authentication. For example:
<configuration>
<system.web>
<authentication mode="Forms">
<forms name=".COOKIEDEMO"
loginUrl="login.aspx"
protection="All"
timeout="30"
path="/"/>
</authentication>
</system.web>
<location path="Cube.aspx">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
</configuration>
In a given example, the Forms mode is configured in the <authentication> section. User authentication is applied when addressing the "Cube.aspx" page (it is defined in the <location> section). The user authentication process is fulfilled on the login.aspx page described below.
<html>
<body>
<form runat="server" ID="Form1">
<h1>Login Page</h1>
UserName:<input id="UserName"
type="text"
runat="server"/>
<asp:RequiredFieldValidator ControlToValidate="UserName"
Display="Static"
ErrorMessage="*"
runat="server"/>
<p>Password:<input id="UserPass"
type="password"
runat="server"/>
<asp:RequiredFieldValidator ControlToValidate="UserPass"
Display="Static"
ErrorMessage="*"
runat="server"/>
<p>Domain:<input id="UserDomain"
type="text"
runat="server"/>
<asp:RequiredFieldValidator ControlToValidate="UserDomain"
Display="Static"
ErrorMessage="*"
runat="server"/>
<p>Persistent Cookie:<ASP:CheckBox id="PersistCookie"
runat="server" />
<p><asp:button id="cmdLogin"
text="Login"
OnClick="Login_Click"
runat="server"/>
<p><asp:Label id="lblResults"
ForeColor="red"
Font-Size="10"
runat="server" />
</form>
</body>
</html>
The Login_Click server method code should look like as follows:
[DllImport("advapi32.dll", CharSet=CharSet.Auto)]
public static extern int LogonUser(String lpszUserName,
String lpszDomain,
String lpszPassword,
int dwLogonType,
int dwLogonProvider,
ref IntPtr phToken);
public const int LOGON32_LOGON_INTERACTIVE = 2;
public const int LOGON32_PROVIDER_DEFAULT = 0;
void Login_Click(Object sender, EventArgs E)
{
IntPtr token = IntPtr.Zero;
if(LogonUser(UserName.Value,
UserDomain.Value,
UserPass.Value,
LOGON32_LOGON_INTERACTIVE,
LOGON32_PROVIDER_DEFAULT,
ref token) != 0)
{
FormsAuthentication.RedirectFromLoginPage(UserName.Value,
PersistCookie.Checked);
}
else
{
lblResults.Text = "Invalid Credentials: Please try again";
}
}
For this article, we used information from an amazing essay "ASP.NET Forms Authentication, Part 2" written by Abel Banda.