Security of Reports

Hot Topic

Import from INFORMIX (Cannot get the supported data types)
Custom component seems to un-register itself?
How To View Time Series Chart In C#
How can I get the actual line number from inside flatfile sources for each record?
Error when trying to use checkpoint file
Domain Trust - login failed: not a trusted sql connection
VS 2003's Server Explorer is not working
Cannot connect studio to my SQL Server Express Database
quick transaction inside a stored procedure question
How to Connect to a SQL server on a deferent machine using ASP.Net?

SQL Server

Pocket PC database connection
parent and child reports
URGENT: Insert and Update in a transaction is getting blocked
user-defined function remove and replace accents
Error with install of sept CTP Enterprise edition
(ODBC driver) timeout expired when query "DELETE FROM mytable"
I don't understand why
Question about scripts and transactions
.NET Runtime error on SQL Server 2005 (RTM)
System::InteractiveMode is FALSE from dtexecui?

Security of Reports

Hi

Investigating SQL Reporting Services, I have set up Reporting Services and have produced reports on web pages via .NET & C#. So far so good.

However, in the web pages I use custom Role based security model where each (registered) user has a unique reference number.

I want to pass that number to the Stored Procedures that I use to create the data for the reports. This is for 2 reasons. One is to determine whether the user is entitiled to view the  report. The other is that the report criteria are stored in records in a Criteria table and I access each user's critiera using their unique reference number.

However, if I put the user's reference number it into a report Url, then anybody can impersonate it and get access to reports they shouldn't see.

So, (how) can I securely pass a user's (SQL integer value) from .NET to a Reporting Services stored procedure

Any insights much appreciated.

Thanks

David




Answer this question

Security of Reports

  • Ganesh Sankara

    Hi,

    In previous versions of SQL Server, Enterprise edition was required for a custom security extension but that is no longer the case. SQL Server 2005 Standard Edition supports the custom security extension.

    http://www.microsoft.com/sql/technologies/reporting/rsfeatures.mspx

    Regards

    Adam

  • Bayan El Ameen

    Hi Brian

    Thanks for you reply. I've been away on holiday - longer than usual!

    I believe I am right that a customer security extension requires the Enterprise version of Reporting Sertices and, therefore, the Enterprice version of SQL Server. The reports I am working on are to be hosted on a leased web and SQL servers on the internet, and  the Enterprise SQL Server is not a viable option from a cost standpoint.

    I will have a think about your idea of securing the report server web service and see what I can come up with.

    Best Regards

    David

  • Kevin Gilpin

    Hi Adam

    Thanks for that - I haven't got to grips with SQL Server 2005 in any substantial way yet due to current workloads. But I will definitiely check it out now...

    Thanks again

    David



  • Jean Philippe Boucher

    The best way is to create a custom security extension for Reporting Services that uses your reference number to identify a user. Then you can use the User!UserID property in your report to filter out whatever you want. If you don't want to go down this path, the only workaround I can think of is to secure the report server web service to only talk to your application identity.

  • Security of Reports
Answer this question