Analysis Services Configuration - Account Provisioning
Use the Analysis Services Configuration page of the SQL Server Installation Wizard to grant administrative permissions to users or services requiring unrestricted access to Analysis Services.
If you are installing PowerPivot for SharePoint, you should grant administrative permissions to SharePoint farm administrators or service administrators who are responsible for a deployment of SQL Server PowerPivot for SharePoint in a SharePoint 2010 farm. For more information about PowerPivot installation and service account requirements, see How to: Install Analysis Services on a New SharePoint Server.
Considerations for Provisioning SQL Server
Beginning in SQL Server 2005, significant changes were implemented to help ensure that SQL Server was more secure than previous versions. Changes included a "secure by design, secure by default, and secure in deployment" strategy designed to protect the server instance and its databases from security attacks.
SQL Server 2008 continues the security hardening process by introducing more changes to the server and database components. The changes introduced in SQL Server 2008 further decrease the surface and attack areas for the server and its databases by instituting a policy of least privileges and increases separation of Windows administration and SQL Server administration. This means that internal accounts are protected and separated into operating system functions and SQL Server functions. These measures include:
New SQL Server 2008 installations no longer add the local Windows Group BUILTIN\Administrators to the Analysis Services server administrator role of the instance you are installing. If you want to add the local Administrators group to the server administrator role, you must explicitly specify that group.
The ability to provision one or more Windows principals into the server administrator role of the Analysis Services instance. This option is available during SQL Server Setup for new installations of SQL Server 2008.
The Surface Area Configuration (SAC) tool has been removed, and replaced by policy-based management and changes in the SQL Server Configuration Manager tool.
These changes will affect your security planning for SQL Server, and help you create a more complete security profile for your system.
Considerations for Running SQL Server 2008 on Windows Vista and Windows Server 2008
Windows Vista and Windows Server 2008 include a new feature, User Account Control (UAC), that helps administrators manage their use of elevated permissions. By default, on Windows Vista and Windows Server 2008, administrators do not use their administrative rights. Instead, they perform most actions as standard users, temporarily assuming their administrative rights only when it is necessary. However, instead of elevating privileges, we recommend that you create a Windows user account that has sufficient permissions to perform all necessary administrative tasks.
UAC causes some known issues. For more information, see the following Web pages:
Specify Analysis Services Administrators - You must specify at least one system administrator for the instance of SQL Server. The users or groups that you specify will become members of the server administrator role of the Analysis Services instance you are installing.
To add the account under which SQL Server Setup is running, click the Add Current User button. If you are installing PowerPivot for SharePoint using the New SharePoint Server option, be sure to add yourself as an Analysis Services administrator. This step allows SQL Server Setup, running under your Windows identity, to configure a SharePoint farm and deploy PowerPivot for SharePoint.
To add other users or services, click the Add… button and then enter the Windows domain user accounts for the person or service requiring administrative permissions.
To remove accounts from the list of system administrators, click Remove and then edit the list of users, groups, or computers that will have administrator privileges for the instance of SQL Server.
When you are finished editing the list, click OK, then verify the list of administrators in the configuration dialog box. When the list is complete, click Next.