XML for Analysis – Security

← Back to XML for Analysis

Overview

XML for Analysis (XMLA) uses standard web‑based protocols (HTTP/HTTPS) to communicate with Microsoft Analysis Services. Securing XMLA connections is essential to protect data, manage access, and ensure compliance.

Authentication

XMLA supports several authentication mechanisms:

Configure the authentication method in the connection string:

Data Source=https://myas.example.com/olap/msmdpump.dll;
    Catalog=AdventureWorksDW2019;
    Integrated Security=SSPI;   // Windows Auth
    // or
    User ID=myUser;Password=myPass;   // SQL Auth

Encryption (Transport Security)

All XMLA traffic should be encrypted using HTTPS. To enforce TLS:

  1. Install a valid SSL certificate on the server.
  2. Configure the IIS or HTTP.SYS binding to require SSL.
  3. Set TransportSecurity=SSL in the client configuration.

Example connection string using SSL:

Data Source=https://myas.example.com/olap/msmdpump.dll;
    Catalog=AdventureWorksDW2019;
    Integrated Security=SSPI;
    TransportSecurity=SSL;

For Azure Analysis Services, the endpoint is always HTTPS.

Role‑Based Access Control

Analysis Services uses roles to define permissions. Assign users or groups to roles via SQL Server Management Studio (SSMS) or PowerShell.

PermissionDescription
ReadAllows execution of MDX/DAX queries.
Read/WriteAllows both querying and processing of objects.
AdminFull control over the server and all databases.

Best Practices

Troubleshooting

If you encounter authentication errors:

  1. Verify the client can resolve the server name over DNS.
  2. Check that the required ports (443 for HTTPS) are open.
  3. Confirm the account is a member of the target role.
  4. Review the server’s msmdsrv.ini for authentication settings.

Use the following PowerShell cmdlet to list role memberships:

Import-Module SqlServer
    Invoke-ASCmd -Server "myas.example.com" -Database "AdventureWorksDW2019" -Query "
        SELECT * FROM $System.DISCOVER_ROLES
    "