Manage Access

Control user and role access to Azure Analysis Services models.

Introduction to Access Management

Azure Analysis Services provides robust mechanisms to manage access to your tabular models. This ensures that only authorized users and applications can query and interact with your data. Access is typically managed at the server level and then refined at the database (model) level.

Server-Level Access

Administrators can grant specific permissions to users and groups at the Azure Analysis Services server level. This is usually done through Azure Active Directory (Azure AD) roles.

Common Server Roles:

  • Administrator: Full control over the server, including creating and deleting databases, managing roles, and configuring settings.
  • Reader: Can read server properties but cannot perform administrative actions.

To manage server-level access, navigate to your Azure Analysis Services resource in the Azure portal. Under the 'Access control (IAM)' blade, you can assign roles to users and groups.

Database-Level Access (Model Permissions)

Once a server is deployed, you need to define permissions for users and groups to access specific tabular models (databases) hosted on that server. This is typically done using the Analysis Services engine's built-in role-based security.

Using SQL Server Management Studio (SSMS)

The most common way to manage database-level permissions is by connecting to your Analysis Services server using SQL Server Management Studio (SSMS).

  1. Connect to your Azure Analysis Services server using SSMS.
  2. Expand the 'Databases' node and right-click on the tabular model (database) you want to secure.
  3. Select 'Properties'.
  4. In the 'Security' section, click 'Search'.
  5. You can add existing database roles or create new ones.

Creating Database Roles

When creating or managing database roles, you assign specific permissions to the role.

Permission Description
Read Data Allows users to query data within the model.
Read Definition Allows users to view the model's metadata (tables, columns, etc.) but not data.
Process Allows users to refresh data in the model.
Administrator Full control over the database, including managing roles and permissions.
Note: It's best practice to create roles in Azure Active Directory (Azure AD) and then assign those Azure AD roles to Analysis Services roles. This simplifies user management.

Using Tabular Editor

For more advanced or automated management, tools like Tabular Editor provide a graphical interface for managing model objects, including roles and permissions.

You can also programmatically manage permissions using TOM (Tabular Object Model) or PowerShell scripts.

Best Practices for Access Management

  • Principle of Least Privilege: Grant only the necessary permissions to users and roles.
  • Leverage Azure AD Groups: Assign permissions to Azure AD groups rather than individual users.
  • Use Database Roles: Define specific roles for different user functions within a model.
  • Regularly Review Permissions: Periodically audit access to ensure security policies are being followed.
  • Separate Admin and User Roles: Ensure administrative tasks are handled by distinct roles from data consumers.
Tip: For read-only access to specific tables or columns, consider implementing row-level security and object-level security within your tabular model.

Summary

Managing access in Azure Analysis Services involves a combination of Azure-level roles for server administration and model-level roles for data access. By carefully defining and managing these permissions, you can ensure the security and integrity of your analytical data.