Here is an excerpt from the MS white paper on deployment of Performance Point Server 2007 on the server roles of PerformancePoint.
The security model for Planning Server is based on roles. Users are assigned to roles, and their permission levels in the Planning Server system are dictated by the roles to which they belong. The two types of roles are administrative roles and business roles.
Planning Server includes four predefined administrative roles, which support the separation of responsibilities within an organization:
· Global Administrator
· Data Administrator
· User Administrator
Each role enables its members to perform a specific set of tasks within a specific scope. These roles are configured in the Planning Administration Console.
More information about administrative roles is available in the “Security and roles” section of the Planning Business Modeler online Help.
The Global Administrator role has a system-wide scope. The other administrative roles have either an application scope or a model-site scope.
At the application level, a user in the Modeler, Data Administrator, or User Administrator role has permissions for all model sites in the application.
At the model-site level, a user in the Modeler, Data Administrator, or User Administrator role has permissions only for the specific model site.
Each role enables its members to perform a specific set of tasks within a specific scope.
The following table provides a high-level description of the administrative roles. Users who belong to multiple administrative roles can perform all tasks that are associated with each role.
|Role||Main tasks in Business Modeler||Scope|
|Global Administrator||Create and delete applications and model sites.
To open a model site and use Planning Business Modeler, members of the Global Administrator role must also belong to another administrative role.
|Modeler||Create and manage data and workflow processes.||Application or model site|
|Data Administrator||Create and manage data and workflow processes. Perform data integration tasks.||Application or model site|
|User Administrator||Manage users.||Application or model site|
A user who belongs to the Global Administrator role cannot connect to a server in Planning Business Modeler unless he or she also belongs to another administrative role. The only exception is to create the first application on Planning Server. A user who belongs only to the Global Administrator role can open Planning Business Modeler to create the first application.
Because of the potential for database errors when you use a multiple-server environment, we recommend that all Global Administrator tasks are performed in the Planning Administration Console.
Members of the Global Administrator role can perform the following tasks:
· Create or delete applications and model sites
· Add users to or remove users from the User Administrator role for the model site
Typically, members of the Modeler role have both the technical and business expertise to perform modeling tasks. Members of the Modeler role can perform the following tasks in Planning Business Modeler within their scope (application or model site):
· Create, modify, or delete models, dimensions, and member sets.
· Deploy models and model sites.
· Create, modify, or delete assumptions.
· Create, modify, or delete cycles, workflow assignments, and calendars.
· Create, modify, or delete associations.
· Create, modify, delete, or run rules.
· Create, modify, delete, or run jobs. However, they cannot run Data Load, Data Export, or Data Movement jobs.
· Create, modify, or delete business roles within their scope. However, only members of the User Administrator role can manage role membership.
Users who are assigned to the Modeler role have unrestricted Read and Write access to all business data within their scope. This is true even if they belong to a business role that has restricted settings.
Members of the Data Administrator role use Planning Business Modeler and the PerformancePoint Command Utility (ppscmd) as the primary tools for data integration tasks. Members of the Data Administrator role can perform the following tasks in addition to all Modeler role tasks:
· Run, synchronize, or load associations.
· Run Data Load, Data Export, or Data Movement jobs.
· Synchronize data to and load data from the application or staging database.
Planning Business Modeler uses the PerformancePoint Service Identity (SI) account to perform data integration tasks on a staging or application database. This account must have explicit permissions to the Microsoft SQL Server 2005 database.
Users who are assigned to the Data Administrator role have unrestricted Read and Write access to all business data within their scope. This is true even if they belong to a business role that has restricted settings.
Typically, members of the User Administrator role are executive administrators and business analysts. Members of the User Administrator role can do the following tasks in Planning Business Modeler:
· Assign users to and remove users from Data Administrator, Modeler, and User Administrator roles that have a model-site scope.
· Assign users to or remove users from business roles in the model site.
· Edit user permissions for a member set in the model site. This feature must first be enabled by a member of the Data Administrator or Modeler role.
Business roles are defined for users who work with actual business data in PerformancePoint Add-in for Excel. Business roles are created and configured in Planning Business Modeler by members of the Data Administrator role or Modeler role. After business roles are created, users are then added to the business roles by members of the User Administrator role.
Complete information about business roles is available in “About user-defined business roles” in the Planning Business Modeler online Help.