At the training course today we encountered the security model in PerformancePoint.
Now it was clearly still work in progress but what seemed to caused the most ripples in the class was the lack of any integration with Active Directory. This means that users need to be, in a large part, manually assigned permissions to access roles in the system. Now initial loading of users can be done by an import from a CSV file but subsequent maintenance is a manual process.
This drew a number of questions and back chatter as we are all used to controlling such features through Active Directory so there is a single point of control.
I can see why this decision has been taken.
PerformancePoint maintains a detailed log of everything that is done within its remit. In order to meet the varied and complex compliance requirements that enterprise clients require this is a must have feature.
The question is how can PerformancePoint log and audit changes that are made within Active Directory? In other words, if a user is in a group that has access to functionality and is then removed from that group how will PerformancePoint log that change?
Additionally how can this process be achieved without impacting on an existing AD infrastructure which would have a negative impact on take up and also be compatible with other application’s bespoke security models?
This is clearly something that the developers are thinking about as in the back-end stored procedures is a flag called "isWindowsGroup" but given the wide range of security models PerformancePoint will be dealing with is one that has been parked for the moment.
If you have views on this let the team know, either directly or via this blog and I will pass them on.