At the training course today we encountered the security model in PerformancePoint.
Now it was clearly still work in progress but what seemed to caused the most ripples in the class was the lack of any integration with Active Directory. This means that users need to be, in a large part, manually assigned permissions to access roles in the system. Now initial loading of users can be done by an import from a CSV file but subsequent maintenance is a manual process.
This drew a number of questions and back chatter as we are all used to controlling such features through Active Directory so there is a single point of control.
I can see why this decision has been taken.
Compliance.
PerformancePoint maintains a detailed log of everything that is done within its remit. In order to meet the varied and complex compliance requirements that enterprise clients require this is a must have feature.
The question is how can PerformancePoint log and audit changes that are made within Active Directory? In other words, if a user is in a group that has access to functionality and is then removed from that group how will PerformancePoint log that change?
Additionally how can this process be achieved without impacting on an existing AD infrastructure which would have a negative impact on take up and also be compatible with other application’s bespoke security models?
This is clearly something that the developers are thinking about as in the back-end stored procedures is a flag called "isWindowsGroup" but given the wide range of security models PerformancePoint will be dealing with is one that has been parked for the moment.
If you have views on this let the team know, either directly or via this blog and I will pass them on.
Charlie Maitland\'s Blog 
Hi Charlie,
interesting details on PPS.
I think the mentioned problem of “AD-lookup” is a kind of standard problem if you are using AD groups in your security like you can do in Reporting Services or Analysis Services.
But I think there still is another problem with having no single point of security management in the whole SQL-related suite.
You can have RS reports based on AS-data with a defined user connection, you can have a sharepoint webpart based on relational data.
and now you can even have a PPS-User, who has no access to other enterprise reporting but will be able to planing or reporting in PPS.
And how do you trigger changes in the AD to be able to do a compliant reporting which user was able to connect to which data at which time?
Its time for a new and redesigned AD integration though…
cheers,
Markus
By: markus on Tuesday 6 February, 2007
at 9:30 pm
Markus
I totally agree that there is a major disconnect between application based security and active directory security that needs to be addressed. This is a bigger issue than Performancepoint.
The question is how to build a security model in PerformancePoint that is capable of being extensible to include known business applications.
This is a unique opportunity to engage in this discussion, and from my discussions around AX one that I know MS are keen to engage in
There are also HUGE licensing implications.. There is a major need for the PerformancePoint, Sharepoint and SQL team to engage with the Dynamics team to sort out a coherent licensing structure.
Lets get in there!
By: Charlie Maitland on Tuesday 6 February, 2007
at 10:16 pm