PerformancePoint Monitoring Dashboard Object Security

On the properties tab of every object in PPS Monitoring you will find a permissions section that allows you to assign either reader or editor rights.  These permissions actually relate to two quite different areas:

  • What you will see when you view the deployed dashboard; and
  • What objects you can use and edit to build a dashboard using dashboard designer.

For the latter you’ll also need be in a suitable dashboard designer security role but otherwise the concepts are fairly clear;  Reader will allow you to use the objects in your dashboard and Editor will allow you to edit the objects as well.

For the viewing of dashboards things are a little less straight forward:

To view a dashboard you’ll need to be at least a member of the reader role otherwise you’ll get a “dashboard is unavailable” message.  Being in the editor group adds no additional permissions when viewing the dashboard (that i can see)

Data sources
Dashboard viewers need to have at least reader permissions on a data source if it used in a kpi or report or you will get an error message

You must be at least a reader on a scorecard to be able to view it in a dasboard otherwise it is just not displayed.  This, as with reports also, can obviously cause an issue with the layout of your dashboard as things will get moved depending on your permissions.
To be able to add comments to KPI’s you need to be a member of the editor role but only be a reader to view them

If a KPI is used on a dashboard that you have access to, the kpi will be displayed but you must have at least reader access on that particular KPI to see any values otherwise they will be blank.  Strangely, if you have editor permissions on the scorecard you will be able to add a comment to the KPI whether you have permission to see it or not

To view a report on a dashboard you need to be at least a reader.  If not the report will not appear at all (no message).  No additional permissions seem to be available in the editor role.

From a display point of view Indicators inherit permission from the kpi they are displayed in, so there is no need to set any specific user permissions.  This seems to be the only area where any form of permission inheritance is used.

Note that all roles can either use Groups or specific users.

Note also that you only need to publish dashboards to PPSM server to update security permissions – there is no need to re-deploy to Sharepoint unless you have changed the layout of the dashboard.