MicroStrategy - Security

mstr

http://www.tek-tips.com/viewthread.cfm?qid=819651
http://www.dys.com/Documents/TrainingGuides/SecurityAndControls_TG_v2008SE.pdf
http://www.bizjournals.com/washington/blog/techflash/2015/04/microstrategy-releases-usher-its-first.html
https://www.microstrategy.com/Strategy/media/downloads/products/express-security-framework.pdf
https://www.microstrategy.com/Strategy/media/downloads/training-events/world2015/MSTRWorld2015_T6_S5_Administer-User-Access-Using-MicroStrategy-9s.pdf?ext=.pdf
https://cisco-partnerpedia-production.s3.amazonaws.com/product_files/80132/original/CloudSecurity_WP_0212_FINAL.pdf?AWSAccessKeyId=AKIAIXDZHQFL74PEDBPA&Expires=1445543274&Signature=VHloB8FSo7HepL9Zv1aAUoK3RKg%3D
http://community.microstrategy.com/t5/Server/TN47316-Steps-to-prevent-unencrypted-MicroStrategy-Application/ta-p/196951

How can we (administrators) see the data that the user see if we can find the cache or history list?

The only way to view the contents of the report cache would be to run a report on the Intelligence Server that will hit the cache. If running as administrator matches the cache, then it will hit it, but if not (for example if the user who created the cache has a different security filter or connection mapping, etc) then you would not be able to view the cache contents.

When we find the cache, we can right click on it, and select the Quick View functionality. Perhaps we can determine the prompt, and the SQL statement that was generated and used.

What information can I get from the history list Quick View?

  • start time, and finish time
  • Report Details / Prompt information
  • The number of data sets involved and the SQL statement that was used for each data set

As an administrator, how can I receive a copy of the report for auditing purpose?

When a user run a report via MSTR Web, I am not sure if I can receive a Bcc copy of that report for auditing (to see if the data contains information from other facilities which this user should not have access to). If I can, I probably want to have that Bcc copy delivered to a separate email address. As for scheduled reports, that are scheduled to be delivered via email, I may be able to receive Bcc copy of it. Here is a response from the MSTR support team:

You could add a CC or BCC on the subscription itself for email subscriptions, or enable the SMTP extension for delivery notification (this would not include the contents of the subscription, only a notice that the email was delivered) but there is not currently any way to programmatically add an address to be CCed on all subscription executions.

The SMTP extension that they referred to is under "Administration -> Delivery Managers -> Transmitters". Right click on Email and select Edit.

If the report was scheduled for delivery to the history list / inbox rather email, there is no way to receive a Bcc copy.

If I truly need to receive a Bcc copy via email, I may need to hook into the COM SDK somehow. In the meantime, if the reports contain a column displaying the ID of the facilities, I can have the SDK (MSTR Web SDK) check for HIPPA violation when the report is run. If it contains data from other facilities, I can display a message and not render the report.

Other questions:

  • Should we log the SQL statements when the report is run? How? Do we need to log the data (HTML, Excel, PDFs)? Can we use "write back" for this? How long should we keep these data around for?
  • Does MicroStrategy have functionality for security auditing beside the change journal?
Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License