PerformancePoint Security Best Practices In SharePoint 2010 – A Primer

With PerformancePoint Services offered by Microsoft SharePoint Server 2010, the objects that get stored in lists and document libraries can be secure when used within a dashboarding / graphical application. This is accomplished by coupling through the Microsoft SharePoint Sever 2010 security model. There are additional products features that can be accessed for customizing that security. PerformancePoint Services are dependent upon the SharePoint Server 201 security model. However, there are special security considerations that need to be evaluated during the planning stages. That should also include how managing that security will take place. All of the security is managed within the SharePoint Sever Central Administration Website. This covers all of the shared resources as well as the user access.

You will find three different methods for source data Authentication with PerformancePoint Services. Custom Data allows for SQL Service Analysis Services to be able to authenticate a user through custom specs. The name of the user is considered a parameter of the custom data field for the connection string. The custom data option is only used for Analysis Service Data. It can be used with both the 2006 and 2008 servers. With Per User Identity authentication each of the users has individual accounts that are used to access all of the data sources. The use of Kerberos Delegation has to be incorporated. There is a domain administrator that configures the Kerberos Delegation between PerformancePoint Services and the data sources. The external data sources have to be within the same domain as the SharePoint Server 2010 farm or a failure will occur. Unattended Service Account are a shared user account that is used for access to all of the different data sources. This type of domain account is low privilege. It is stored in the Secure Store Service. In order to create an unattended service account, there has to be the proper access to the data sources. This is a requirement of the dashboard.

With PerformancePoint Services the data source connections are contained. This occurs with the data content and document libraries that are part of the document lists. The security of the content ensures that users aren’t able to run queries against those data resources when the query objects can’t be trusted. Therefore trusted locations within those libraries and lists are created. The Farm Administrator is able to set all of the locations for the farm to be trusted. They can also choose to identify specific locations to be trusted. The ability to define the locations in the farm that will be secure means that there is a great deal of flexibility. A Farm Administrator no longer has the responsibility of securing the entire farm when it isn’t absolutely necessary to do so. These trusted locations are able to offer additional layers of security. There are restrictions for the query to be executed in regards to various data sources and objects. The document library for a web application can be defined as being trusted. With PerformancePoint Services the configuration of trusted locations and settings are managed through the Central Administrator. The configuration can also be managed through the use of Microsoft PowerShell 2.0. When you are planning the security for PerformancePoint Services, you will need to decide if you want to secure your entire web application or only portions of it. There are often many locations found within a given farm that will be marked as trusted. They use the following hierarchy within the SharePoint Server for the data and data sources:

  • The use of trusted locations are disabled for various locations with data sources or content for the entire farm.
  • The web application contains trust lists and document libraries.
  • There is a collection site for the trust lists and document libraries.
  • Trust lists and document libraries placed in a site.
  • The farm has a trust list or document library in place.

The server will check if trusted locations are enabled when it is doing verifications. When it is enabled the server will check a list of trusted locations at the site collection. It will also look down the hierarchy to verify that all of the content is trusted. When items don’t use a data source they don’t have to be in a trusted location to be accessed. This includes KPI’s, dashboards, icons, and web pages. Trusted data source locations can’t be defined on a list or as a document library.


The List View Threshold In SharePoint 2010

There are several things to take into consideration with the list view threshold in SharePoint 2010. There are several operations here including non-indexed queries that allow for columns to be added. They can be used to make a list and to give time for resources that are proportional to the number of items in the list. When you have a small list you don’t have to add items quickly. The bigger the list gets though the more the related operations is going to take up your available resources.

The list view threshold is a safety in place to let you know when you should change the query. It also lets you know that the data can be accessed for performance when the farm usage is low. The list view threshold is the maximum number of items that a database can hold at once. The default is set to 5,000 items and it will impact how our holistic system operates so don’t increase it.

You don’t want to prevent a query from being filtered on columns that aren’t indexed. When that happens there is a filter in place and the correct data set will be affected. You need to allow the default value for the limit to be based on farm and list performance. This is how the SQL Server is able to manage locks, so it is a good idea to leave it just the way it is.

You want to minimize database contention and the best way to do so is with the SQL Server row level locking. This is a strategy that allows for accurate updates to occur without affecting users when they have access to other rows. If a read or a write database operation including queries is in place it can mean that 5,000 rows are all locked at the same time. It will be handled more efficiently when the SQL Servers in place to serve as the lock. This means the entire table will be complete. It is going to stop other users from being able to access that table.

The mixture of queries allows for the return of all the items in the list and then more items can be returned later on. When the limits are changed from the default of 5,000 to 10,000 there is a huge impact of the overall performance. It is a good idea though to focus on high performance from the queries.

With list view threshold there are some exception due to the fact that there are operations to perform. They may not do well though if you reconfigure them. They have to be raised to the limit you will need so that they can sufficiently operate as you perform them. The worst that can happen is that you will need to change the enable throttle setting for a given list to false. Then you can ignore the list view threshold.

However, this can only be accomplished at the list level. You can’t do it for a site. You should only be doing this when you want to allow a list access while changes are being made to fix poor performance operations that are being blocked. As soon as you are done with all of that the enable throttle setting needs to be changed back right away.

Both farm and local computer administrators on the web end of things where the server is and the query starts won’t be blocked by the list view threshold. They are users that are browsing large lists and it could be found that some of them aren’t properly configured. They have to be careful when testing them so that the data is normal when other users see it. This is why some operations are prevented by the list view threshold.

There are time services that can be run with an account that isn’t protected by the list view threshold. This allows for various scenarios to be in place including a creation of an index for a large list later on. The use of general will apply so that there aren’t problems during such a scenario playing out.

With the list view threshold for auditors and administrators, the list view threshold for service account is in place. There is a limit for caching the results of a large query and therefore it saves resources. The custom code allows for a request to use the higher limit for running an account that is going to comply with the web application security policy.

Object model override determines if the service accounts can be part of the list view threshold for auditors and administrators. With a farm administrator there is the ability for the object model to be overridden. This is a program specific ability that has some exceptions.

The programmers with authorization can request for a query or a list and then benefit from it. They can change the value so that custom codes can be used to override what is already in place. It is a good idea to leave this setting at the default.

There is a daily time window that can be set for the operations to be performed. This is allowed to occur without being subject to the list view threshold. The time can be changed by 15 minute increments for a period of up to 24 hours. The database operation or query will start with the daily time window where it continues until it is completed so that it doesn’t finish in the time specified.

By default the daily time window won’t be configured because of the fact that off peak hours can vary. We suggest that you only have a daily time window in place to be specified if you have reasonable off hours. The time frame to use would be when very few people will be using a given Web application. The users are able to perform administrative operations for large lists. This includes creating indexes. All of this is best to do during those periods of time when farm usage is lower than normal.