Planning Server security

Updated: 2009-04-30

Planning Server server is built from the ground up, strictly following the Microsoft Security Development Lifecycle (SDL). It has passed multiple well-defined checkpoints, security code reviews, and a final security review. It is secure by design, secure by default, and secure in deployment.


Planning Server leverages Integrated Windows authentication. To pass authentication, a user needs to be:

  • A valid PerformancePoint Server user

  • A valid domain user


Planning Server uses a role-based security model for authorization. It uses roles to protect metadata, data, and write-back, and to enable workflow actions. The two types of roles are administrative roles and business roles.

Planning Server administrative roles

Planning Server includes four predefined administrative roles, which support the separation of responsibilities within an organization:

  • Global Administrator

  • Modeler

  • Data Administrator

  • User Administrator

Each role enables its members to perform a specific set of tasks within a specific scope. These roles are configured in Planning Administration Console. In role-based security, nothing is inherited between model sites and model sub-sites. Administrative roles are used to grant appropriate permissions to key personnel in an organization. Your ability to perform tasks in Planning Business Modeler is determined by your membership in administrative roles.


See Planning Business Modeler online help, under "Security and roles," for more information about administrative roles.

Planning Server business roles

Business roles are defined for users who work with actual business data in PerformancePoint Add-in for Excel. Business roles are created and configured in Planning Business Modeler by members of the Data Administrator role or Modeler role. After business roles are created, users are then added to the business roles by members of the User Administrator role. When a model site is deployed, business roles are translated into dimensional security and persisted in corresponding cubes on the SQL Server 2005 Analysis Services server. For Microsoft Office Excel users, business roles control what users can view and writeable regions for worksheets.

Write-back is protected by both business roles and cycle/assignment context. Cycle context determines the period start and end time and the scenarios. By combining the cycle with business roles, it creates a "write region," allowing users to input data.

See the Planning Business Modeler online Help topic, "About user-defined business roles," for complete information about business roles.

Predefined functional roles for workflow

The predefined functional roles for workflow are Contributor, Reviewer, and Approver.

Only users or roles assigned to these functional roles are enabled for certain workflow actions such as submit, review, and approve.

Communication security

Planning Server supports Kerberos and Secure Sockets Layer (SSL) natively to enable a secured communication channel between clients and Planning Web Service.

Kerberos delegation for Planning Server

Impersonation allows a Web application or service to act on behalf of the caller's identity. This allows the Web application or service to access local resources with an identity that is not its own.

Delegation allows a Web application or service to use an impersonation token to access remote network resources. Situations where the use of delegation is required are commonly referred to as "double hop" scenarios. Delegation is based on Integrated Windows authentication and on the Kerberos protocol. Both Monitoring Server and Planning Server have configuration options in which the use of delegation is required.

Deploying the Planning Administration Console with the client (Internet Explorer) and Planning Web Service on different computers requires the Planning Remote Administration Service to be able to pass the credentials of the authenticated user to the Planning Web Service.

See the PerformancePoint Server 2007 Deployment Guide for details on configuring Kerberos delegation for Planning Server and Monitoring Server

Secure Sockets Layer (SSL) security

PerformancePoint Server recommends SSL security for HTTP communication with Internet Information Services (IIS). Each IIS Web site must have an SSL certificate installed to enable this security.

For more information on SSL, how to setup a certificate server or use an existing certificate server with PerformancePoint Server, see "Setting up SSL on Your Server," available at:

See the PerformancePoint Server 2007 Deployment Guide for detailed information about installing and configuring SSL on Planning Server and Monitoring Server.

SQL Server security

PerformancePoint Planning components access databases only through Planning predefined store procedures. All stored procedures go through security code review for SQL injection and other security threats. Planning Server setup creates two predefined SQL Server users: one is the low-privileged user for executing calculation rules and the other is the trusted service identity account for all other access. By default, business users do not have direct SQL Server access to the databases.

Analysis Services security

When a model site is deployed, business roles are translated into dimensional security and persisted in corresponding cubes on the Analysis Services server. Even if you try to access the Analysis Services cubes directly, the data will be protected in the same way as if you were accessing data through Planning Server.

Native SQL and MDX security

Planning Server provides a feature called "Using Native SQL and MDX for Rules Securely." This feature is designed to offer the maximum flexibility for users and prevent users from abusing the power in SQL Server. Select the check box of this feature for the application to enable native SQL/MDX rules by a Global Administrator. Then manually mark the rules as "Active" after the secure code review. A separate schema is created to hold the database objects generated from this feature. A low-privileged user account in SQL Server is also created to execute these rules so that the database object's execution is safe.

See the PerformancePoint Server 2007 Deployment Guide for information on using PerformancePoint Expression Language (PEL) and Native SQL and MDX securely.


Consult documentation for Internet Information Services security to prevent any denial-of-service attacks that could prevent Planning Server or Monitoring Server from working correctly.

Download this book

This topic is included in the following downloadable book for easier reading and printing:

See the full list of available books at Downloadable content for PerformancePoint Planning Server.