Whereas the authorization tactics discussed in Patterns for Row-Level User Security affect end-users directly, these administrative practices apply to the systems behind the scenes.

Restrict Access By Role

Objective: limit a database user's access.

The Analytics Middle Tier has been designed to support BI tools that operate most efficiently when pulling data directly from a database, rather than sourcing from APIs or files. Direct access to the middle tier database is an assumed requirement. To support this, the SQL Server account used to connect to the ODS can be placed in the analytics_middle_tier role, which will instantly grant read-only access to the dimensional view. Limiting that account to only this role will prevent that account from accessing any of the underlying data in the ODS. See the AMT Deployment Guide for more information.

Some BI tools support a "direct query mode" that bypasses the analytics database in favor of executing a SQL query against the source database. Aside from the performance concerns of allowing direct query access, there is also a security concern. Generally it will be preferable to manage end-user access only through the BI tool's data model and not allow direct end-user queries.

Encryption in Transit

Objective: protect data as it passes through the network, from the SQL Server to the analytics engine.

Whenever possible, the connection from a BI tool to SQL Server should use an encrypted connection (TLS). When using a connection string with SQL Server Native Client, add the following to that string: Trusted_Connection=yes;Encrypt=yes;.

It may also be necessary to enable encrypted connections in SQL Server.

If encrypted connections are not an option, then placing the analytics engine and SQL Server together in an isolated (i.e., firewalled) network segment can mitigate the risk of someone maliciously reading network packets that are sent in the clear.

Encryption at Rest

Objective: protect data in storage.

Whether or not to encrypt data at rest is a decision that each organization needs to analyze carefully. SQL Server hosting the ODS has multiple options for encryption, although Transparent Data Encryption is the only option that works without modifying the ODS database.

Analytics databases may or may not support encryption at rest, and implementors will need to investigate their BI platform of choice to determine what it is capable of. For example, Amazon QuickSight does offer encryption at rest when using the Enterprise plan. Data stored in Azure Analysis Services are always encrypted at rest.


  • No labels