Tag Archives: SSAS

How to Auto-Generate a Time Dimension

Posted on by
Reply

One thing almost every Data Warehouse has in common is that they have a Time dimension.  There’s almost always a need to view aggregated data by day, month, quarter, year, etc.  In addition to the standards you might also have a fiscal calendar that’s slightly different than the standard calendar.  Typically a decision is made to generate the Time dimension starting at point in time the business feels the data will be relevant to the warehouse, and then populated out into a point in time that’s in the distant future (I usually do about 10 years for starters. 

Now you could spend a lot of time writing the sql script that is going to create and populate your time dimension.  However, you can also use SQL Server Analysis Services (SSAS) to do the bulk of the work for you (even if you don’t actually plan on using SSAS…..or if SSAS is a little intimidating to you). 

This walkthrough will guide you through using one of the built in wizards to generate and populate a Time dimension inside your SQL Server database, with very little effort.  In this walkthrough I’ll be using SQL Server 2012, but the steps are very similar in SQL Server 2008.  So let’s get to it:

1.       First things first, we’ll need to create a new Analysis Services project in SQL Server Data Tools (or BIDS in 2008).  If you’re using 2012, make sure to select the “Multidimensional and Data Mining” project, and not the “Tabular Project”.  Name it whatever you want and click ok.

clip_image002

2.      Once our project is created you should see several folders in your “Solution Explorer” (right hand side of your screen most likely).  Right click on the Dimensions folder as shown below and then left click on “New Dimension…”.

clip_image003

3.      Make sure to select “Generate a time table in the data source” and then click next.

clip_image004

4.      On this screen we get to choose the start and end date ranges for the dates we want to populate our time dimension with.  In addition we get to choose what additional attributes we want to include in our Time dimension such as Quarter, Hafl Year, etc.  Make your selections, and then click next.

clip_image005

5.      If you have Fiscal or reporting calendars that are offset from the standard calendar, you can choose to include additional attributes with those offset values in your calendar.  In this example we’re not going to use any of these, but it’s important you know they’re available.  Click next.

clip_image006

6.      On this screen I’ve renamed the dimension from Time to DimTime just because I’m in the habit of always starting my dimension table names with Dim.  Feel free to rename your dimension whatever you want here.  YOU MUST MAKE SURE TO CHECK “Generate schema now” BEFORE YOU CLICK FINISH!  That’s why I highlighted it in yellow all pretty like.

clip_image007

7.      Now we’ve kicked off a new wizard (by selecting  “generate schema now” in our previous screen and selecting finish) to generate our schema.  Click next on the intro screen.

clip_image008

8.      Now we need to create a data source that points to the database that we want our dimension table created in.  Click new, and walk through the data source creation wizard.  It’s exactly like the data source wizard that you find in SSRS, SSIS, or SSAS.  Once you’ve created your data source, select it in the “Data source” dropdown and click next.

clip_image009

9.      You can tell the wizard to create or not create various constraints on the table when it gets created.  For this example we’re going to leave all options checked (default).  Just make sure the “Populate time table(s)” dropdown has “Populate” selected and then click next. 

clip_image010

10.  This screen contains several options that should all be pretty self-explanatory.  We’re going to leave them all as their default values and click next.

clip_image011

11.  Aww yeaaaah!  The finish screen!  Your screen should look something similar to mine, just review it and as long as nothing looks out of place go ahead and click finish.

clip_image012

12.  The schema generation process might take a few minutes.  I’d guess the wider the range of the start and end dates you picked at the beginning of the wizard, the longer it will take.  Ultimately you want to see “Generation Completed Successfully” down at the bottom left in green.

clip_image014

13.  Now if I open up a query window in SQL Server Management Studio (SSMS) to the same database that I pointed my data source to during the walkthrough, I see that I now have a table named DimTime (though yours will be named whatever you named it…..it will be named “Time” if you didn’t specify anything).  Running a quick select * statement shows me that it is indeed populated. 

clip_image015

 

Well, that was pretty easy….Way more so than writing our own scripts to generate and populate this table.  Well, I hope everyone found this useful.  I also recently enabled comments on the blog (so feel free to leave a comment if this did or didn’t work out for you.)

How to configure dynamic security in Analysis Services and Performance Point 2010 without Kerberos

Posted on by
1

Also titled – “how can you make it so users only see data that belongs to them…without configuring Kerberos”

By the end of this walkthrough you’ll hopefully have a pretty good understanding of how to implement dynamic security in a Performance Point 2010 dashboard connected to analysis services. Security in general can be a pretty tricky subject, and if you don’t understand the basics it’s easy to get lost/confused. I’ll try my best to make this as simple as possible with lots of screen shots.

If you’re not familiar with terms like “Double Hop”, and why you might need Kerberos configured, you should go watch this video http://go.microsoft.com/fwlink/?LinkId=218209 it’s pretty easy to follow, and will probably make the rest of the walkthrough easier to understand. (although, you do not need Kerberos configured to implement this)

Let’s start off by taking a look at our data source options in PerformancePoint. There are 3 different options when you create a new data source in PerformancePoint as shown below in the highlighted yellow area

clip_image002

Let’s take a minute to talk about each one and how it works

1. “Unattended Service Account” – This is by far the easiest to implement. In this scenario you configure a service account in the “Secure Store Service Application” in SharePoint and all PerformancePoint users use those credentials when connecting to your data source.

2. “Unattended Service Account and add authenticated user name in connection string” – This method is the same as the first, with one exception. In addition to using the service account, it also passes the current users id, which can then be retrieved later using the CUSTOMDATA() function in MDX.

3. “Per-user Identity” – This option always connects to your SSAS data source as the current logged in user. HOWEVER, you’ll almost certainly need to have Kerberos configured on your domain in order to make this work….and Kerberos configuration is indeed no small task…..even getting the security needed to configure Kerberos in the first place can be a nightmare. The only way you won’t need Kerberos, is if your SharePoint installation resides completely on 1 server, AND your SSAS instance and cube also happen to be on that server…….and that shouldn’t be the case. It should be noted though, that implementing Kerberos is a best practice, and if this option is available to you, it is more secure and recomended.

In order to implement dynamic security we’ll be using the 2nd option “Unattended Service Account and add authenticated user name in connection string”. Once you’ve got your data source configured as such, go ahead and create an analytics grid report and place this mdx in it (This is assuming you’re using the [Adventure Works DW 2008R2] SSAS project. If you’re not, then I’ve highlighted the important parts below, just replace non highlighted parts with something that is relevant to your cube)

WITH MEMBER [Measures].[MyUsername] as CUSTOMDATA()

SELECT

{ [Measures].[MyUsername] } ON 0,

NON EMPTY { [Employee].[Title]} ON 1

FROM [Adventure Works]

If all has gone well thus far, the results of this should show “MyUsername” with a value of the account you’re currently logged in as….something like “domain\username”. Now in order to implement dynamic security, this user name will need to physically exist in our cube data somewhere, so that we can compare/match to it. There are a few different ways you could go about it, but for the sake of simplicity in this example, we’re going to say that there’s a dimension called DimOpportunity that has an attribute called “Account Owner” that contains our user id’s. Our goal is:

User should only see opportunities that belong to them based on who they’re logged in as.

In order to make that happen we’ll need to create a new role in our cube, and apply some “allowed sets” to the dimension that passes in our user id and makes the comparison. To create a new role in your cube you’ll want to

1. Connect to Analysis Services with SQL Server Management Studio (SSMS).

2. Select the database your cube is in, expand it, and then right click on rolesànew role

clip_image003

On the general tab of your new role, you can assign the role a name, I’m just going to leave the name as “Role” since this is just an example, but you’ll obviously want to give it a more meaningful name.

clip_image005

After you’ve named your role, click on the “Cubes” page as shown below, and change your Access, and Local Cube/Drillthough values to match what’s shown below (Cube name has been blacked out to protect the innocent). You'll get some additional prompts asking if you want to enable dimensions for read...yes you do.

clip_image007

Next you’ll want to select the “Dimension Data” page on the left hand side, then select the dimension you want to apply the security to. (remember, this dimension will need to have the actual user names in one of its attributes, so we can compare to it) In my case I’m comparing to Dim Opportunity.

clip_image009

After we’ve selected our dimension, you’ll need to click on the “Advanced” tab and then select the attribute that contains our user name from the Attribute drop down box. In my case that attribute is Account Owner. We then need to create an allowed member set. Allowed member sets grant access to only the attributes that have been specifically assigned…all other attributes not specified in the set are denied. Since we want the user to see only rows that they are assigned to, we can use the STRTOMEMBER() and CUSTOMDATA() function to define the named set like so:

{strtomember("[Dim Opportunity].[Account Owner].&[" + CUSTOMDATA() + "]")}

clip_image011

If we want this limitation to apply to other dimensions hanging off our fact, we’ll also need to make sure to check the “Enable Visual Totals” checkbox, as shown above.

We’re almost done! Next we’ll need to tell our PerformancePoint data source to use our new security enabled role we’ve created when it retrieves data. To do this we simply open the data source in PerformancePoint Dashboard Designer, and type our role name in the box titled “Role:”. Since our Role was simply named “Role”, that’s what you see in the screenshot below.

clip_image013

If all has gone well, you should now be able to log into your dashboard and view the data filtered based on who you are. Hopefully you’ve found this walkthrough helpful, if so gimme some stars. You can find some additional reading on the subject at the below link.

http://www.sqlmag.com/article/sql-server-analysis-services/protect-udm-with-dimension-data-security-part-2