Minimal security settings for a Analysis Services service account

As an add-on to my previous post about adding Analysis Services to an existing SQL cluster, I thought it might also be helpful to list the various security settings which need to be set to allow SSAS to not only run but accept connections.  Again, in a dev environment, if your "service account" is an administrator account, you'll have no issues, but in a production environment if your serivce account does not have these additional rights, while the service will start up, you will not be able to actually use Analysis Services.

User Rights Assignment

After SSAS has been installed, the following security must be set to allow the chosen service account to run. 

Local Security Policy Assignment

· Open the local security policy MMC (from the Run or Command prompt type gpedit.msc)

· Navigate to Local Computer Policy->Computer Configuration->Windows Settings->Security Settings->Local Policies->User Rights Assignment

· Grant access to the SSAS service account for the following policies:

o Bypass traverse checking

o Token object creation (Create a token object)

o Security audit generation (Generate security audits)

o Locking of pages in memory (Lock pages in memory)

o Replacement of a process level token (Replace a process level token)

o Log on as a batch job

· Close the security policy MMC

File Security Assignment

· Open Windows Explorer

· Navigate to %PROGRAMFILES%\Microsoft SQL Server\MSSQL.3\OLAP (where %PROGRAMFILES% is the Program Files folder where SSAS was installed).

· Right click the OLAP folder and select “Properties”

· Select the security tab

· Grant Modify permissions to the SSAS service account

· Grant Read (Read and Execute, List Folder Contents, and Read) permissions to Network Service

· Click Apply and OK

After all security settings are applied, restart the SSAS service.

Comments

  • Anonymous
    August 30, 2010
    Any chance that you could provide any additional details regarding Lock Pages in Memory?  I have not found other sources clearly advocating its use with SSAS 2205 or 2008. Does it help performance across the board in some way, or does it simply prevent the OS from taking memory away from SSAS? Additional background:  in our particular case, we're running SSAS 2005 on Windows Server 2003 using preallocated memory (currently set to 30%).  We're also starting to use SSAS 2008 on Windows 2008 (not R2 yet) and NOT using the prellocated memory there. Thanks.

  • Anonymous
    April 13, 2011
    Hi Dave, I would look at the following article:  msdn.microsoft.com/.../ms190730.aspx