Tim

Tim Kent's Blog

PerformancePoint Monitoring Dashboard Object Security

On the properties tab of every object in PPS Monitoring you will find a permissions section that allows you to assign either reader or editor rights.  These permissions actually relate to two quite different areas:

  • What you will see when you view the deployed dashboard; and
  • What objects you can use and edit to build a dashboard using dashboard designer.

For the latter you'll also need be in a suitable dashboard designer security role which I've posted about previously but otherwise the concepts are fairly clear;  Reader will allow you to use the objects in your dashboard and Editor will allow you to edit the objects as well.

For the viewing of dashboards things are a little less straight forward:

Dashboards
To view a dashboard you'll need to be at least a member of the reader role otherwise you'll get a "dashboard is unavailable" message.  Being in the editor group adds no additional permissions when viewing the dashboard (that i can see)

Data sources
Dashboard viewers need to have at least reader permissions on a data source if it used in a kpi or report or you will get an error message

Scorecards
You must be at least a reader on a scorecard to be able to view it in a dasboard otherwise it is just not displayed.  This, as with reports also, can obviously cause an issue with the layout of your dashboard as things will get moved depending on your permissions.
To be able to add comments to KPI's you need to be a member of the editor role but only be a reader to view them

KPIs
If a KPI is used on a dashboard that you have access to, the kpi will be displayed but you must have at least reader access on that particular KPI to see any values otherwise they will be blank.  Strangely, if you have editor permissions on the scorecard you will be able to add a comment to the KPI whether you have permission to see it or not

Reports
To view a report on a dashboard you need to be at least a reader.  If not the report will not appear at all (no message).  No additional permissions seem to be available in the editor role.

Indicators
From a display point of view Indicators inherit permission from the kpi they are displayed in, so there is no need to set any specific user permissions.  This seems to be the only area where any form of permission inheritance is used.

Note that all roles can either use Groups or specific users.

Note also that you only need to publish dashboards to PPSM server to update security permissions - there is no need to re-deploy to Sharepoint unless you have changed the layout of the dashboard.

Comments (1) -

  • nkarthik

    6/10/2009 3:40:17 AM | Reply

    Hi,

    I am having an issue something related to this article. We have a SharePoint farm and PerformancePoint Server installed on one of the SharePoint server and integrated with SharePoint farm. I can build the dashboard elements in dashboard designer and published it to a SharePoint web application (http://intranet) and I had extended this web application and created a forms based authenticated web application which is SSL certified for extranal users (https://extranet).

    I could deploy the monitoring webpart to my extranet web application https://extranet which I could find in some blog.

    When I published the dashboard to http://intranet, everything works fine. But when I try to see it in https://extranet, it shows me an error. The Dashboard is unavailable. Contact your system administrator for assistance.

    I read in this article that, If we get this error then it means that we don't have permissions on the dashboard. But the PerformancePoint dashboard works with the application pool account right?

    I created a service account and assigned it to application pools of PerformancePoint Monitoring Server and SharePoint Web applications deployed with Dashboard Viewer Web Part. And also assigned this account a reader permission to all the elements in the dashboard, data source and also SQL Server databases and cubes.

    It works fine with windows authentication, can't we dispaly dashboard with forms based authentication?

    My doubt is Can we dispaly PerformancePoint dashboard in SharePoint with Forms Based Authentication?

    Thanks,
    Karthik

Loading