Security Issues when Profiling Multiple Analysis Services databases

Problem: A user with full permissions within a database cannot see any profiling events when the user has full permissions to two or more AS databases and is not a server admin.  The user will be able to trace any query related events for the first database via Profiler but he/she cannot capture any similar events for the other databases.

Reason: This is a known limitation because the trace is normally a feature restricted to server Admins.  DB admins can only see the trace output whenever it is safe to assume from a security perspective that the events produced are for a specific database only.  If its not possible to guaratee events related to a single databse, then the events are not exposed to the user.

Alternative Solution: An alternative solution to this problem is to go ahead to create multiple profiler traces, one for each database.  When you connect to SSAS from the Profiler, you will be able to choose to profile any of the databases that you have full admin access.  In this case, you will open up multiple profilers, one for each database and now you are profiling the AS databases desired.

Thanks to contributions by John Lam, Edward Melomed!

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s