Authorization and permissions in PerformancePoint Services (SharePoint Server 2010)
Applies to: SharePoint Server 2010 Enterprise
Planning permissions and roles
PerformancePoint Services uses the SharePoint Server security model to control user access to various functionality and tasks. There are subtle yet significant changes in working with PerformancePoint Services in Microsoft SharePoint Server 2010 over Microsoft Office PerformancePoint Server 2007. In Microsoft Office PerformancePoint Server 2007, Monitoring Server has its own server and database that stores metadata and content. In Microsoft Office PerformancePoint Server 2007, security is applied globally at the server level and on each individual object.
In SharePoint Server 2010, the PerformancePoint metadata content is stored in SharePoint lists and document libraries. You therefore need to understand the differences between the assignment of permissions and roles between Microsoft Office PerformancePoint Server 2007 and SharePoint Server 2010.In Microsoft Office PerformancePoint Server 2007, the administrator on the server computer is automatically made an administrator. In SharePoint Server 2010, that individual is not automatically made an administrator. If needed, this assignment may be done manually.
Roles and permissions
PerformancePoint Services uses SharePoint Server authorization groups and permissions. As you plan how your users will use the service, review the primary SharePoint Server roles.
Farm Administrator: In order to edit Dashboard items, this role needs at least contributor permissions on content lists (or list items) and data source libraries (or library items).
Site collection Administrator In order to edit Dashboard items, this role needs at least contributor permissions on data source libraries (or library items).
Site Administrator or List/Document Library contributor: In order to edit Dashboard items, this role needs at least contributor permissions on content lists (or list items) and data source libraries (or library items).
Important
If any person or role is tasked with re-deploying Dashboards after they have been imported from Microsoft Office PerformancePoint Server 2007, that person or role must have at least Designer permissions.
We recommend as a best practice that you create new SharePoint groups (or leverage existing ones) to help organize your roles within PerformancePoint Services. If you establish clear permission groups by work role you can keep better control over who has access to what.
The four server roles that are available in Microsoft Office PerformancePoint Server 2007 loosely map to predefined roles in SharePoint Server 2010. In PerformancePoint Services, they are Admin, Power Reader, Data Source Manager, and Create. In addition, two additional roles of Editor and Reader at the individual item level are set within Dashboard Designer. The table below maps out how roles in PerformancePoint Server 2007 map to PerformancePoint Services in Microsoft SharePoint Server 2010.
Important
Being an administrator on the server does not automatically add you as an administrator in PerformancePoint Services in Microsoft SharePoint Server 2010.
| PerformancePoint Server 2007 role | PerformancePoint Server 2007 Permissions | PerformancePoint Services in Microsoft SharePoint Server 2010 role | Comments |
|---|---|---|---|
Admin |
Edit any item and create new items |
Contributor: Data Content and Data Sources |
|
Power Reader |
Read any items (used for SDK processes) |
Read: Data Content and Data Sources |
|
Data Source Manager |
Create new items (data sources only) |
Contributor: Data Sources only |
|
Creator |
Create new items (except for data sources) |
Contributor: Data Content Only |
|
Item Permissions |
|||
Editor |
View, edit or delete the item |
Contributor |
|
Reader |
View the item |
None |
Another way of approaching access needs is to look at the permissions based on the tasks:
| User task | PerformancePoint Services in Microsoft SharePoint Server 2010 Permissions Required | |
|---|---|---|
| Launch Dashboard Designer | None, other than being an authenticated user in SharePoint Server 2010 | |
| Create PerformancePoint Dashboard items and save them to a SharePoint list or document library. | Contributor | |
| Perform all Contributor tasks plus publish PerformancePoint Dashboards | Designer | |
| View PerformancePoint Dashboards and use interactive features | Read | |
| Manage user permissions for Dashboard items | Full Control (Site) or Site Collection Administrator | |
See Also
Concepts
Plan for PerformancePoint Services security (SharePoint Server 2010)