PerformancePoint Security Best Practices In SharePoint 2010 Authentication, Trusted Locations
Data content libraries that are trusted with SharePoint Server 2010 use document libraries that contain the PerformancePoint Services data connections. The .PPSDC files are used to manage connections for data sources. This includes Excel Services spreadsheets, OLAP Cubes, Relational databases, and SQL Server databases. The data sources in the Dashboard Designer are defined and stored in a trusted data connection library that SharePoint Server 2010 offers. The trusted data connection library consists of safe documents that belong to that particular library. Users are restricted when it comes to how data source files can be used. They can be read but not modified or deleted. Through PerformancePoint Services a document library is created through a default setting. Administrators do have the ability to manage those data connections on the server. This is accomplished through creating additional data connection libraries. When a user updates data source connections in a document library the information will be shared and updated through Dashboard Designer. There are many trusted lists that can be developed in a trusted SharePoint Server 2010 list. The list or the parent of a list allows the site collection to be trusted during the initial configuration. It can also be done later on through the Central Administrator. These lists include:
With PerformancePoint Services, the security setting for data sources gets stored in each of them. There is a setting that is used to determine if the server is connected with an unattended user account, a customized unattended user account, or an authenticated user. With the SharePoint Server 2010 Secure Store Service (SSS), the ability to securely store data is available. This includes the credentials that are associated with a specific identity or group. The Secure Store Service is available for all of the farms on SharePoint Server 2010. Each of the data sources is configured for a given user to work with the authenticated user credentials. This is referred to as the Unattended Service Account. This is a domain set of credentials that are duplication when a user is connecting to a data source.
The Unattended Service Account is used to manage the data source for the queries. This is done to prevent the PerformancePoint Services from accessing the content database when the query is being executed. With PerformancePoint Services, data is stored and retrieved through Unattended Service Account credentials. This takes place in the Secure Store Service verifications. The server has to keep both the user name and the password of a user so that they can access it. The user name is stored in the PerformancePoint Services and the password is stored in the Secure Store Service. It is important when you create an Unattended Service Account that you make sure it has the right access. There are data sources that that to be in place for it to function properly. Unattended Service Account credentials aren’t cached on a global scale. Instead, they get retrieved from the Secure Store Service as they are needed. When you open a WorkSpace file in Dashboard Designer, the credentials will be cached for the connection. The Unattended Service Account password is retrieved from the Secure Store Service so that it can be the target data source.
With claims based authentication taking place in the SharePoint Server 2010, there is support for many providers. It is used to communicate from the application servers and the front end web servers. PerformancePoint Services allows for the authentication of providers at the same time on one web application. This is limited though to when the Dashboard is used through a web browser. The Dashboard Designer relies on the web application to be extended. It is then configured in order to support the Windows authentication provider.