Submit My Question - Recent Questions - Recent Answer
Msdn Tech >> SQL Server >> SQL Server Reporting Services

Security of Reports

Hi

Investigating SQL Reporting Services, I have set up Reporting Services and have produced reports on web pages via .NET & C#. So far so good.

However, in the web pages I use custom Role based security model where each (registered) user has a unique reference number.

I want to pass that number to the Stored Procedures that I use to create the data for the reports. This is for 2 reasons. One is to determine whether the user is entitiled to view the report. The other is that the report criteria are stored in records in a Criteria table and I access each user's critiera using their unique reference number.

However, if I put the user's reference number it into a report Url, then anybody can impersonate it and get access to reports they shouldn't see.

So, (how) can I securely pass a user's (SQL integer value) from .NET to a Reporting Services stored procedure?

Any insights much appreciated.

Thanks

David

[947 byte] By [DavidDante] at [2007-12-16]
«« HOW to : Copy files with all extensions
»» Template Wizards -- Does SCRIPT_PATH really work?
# 1
The best way is to create a custom security extension for Reporting Services that uses your reference number to identify a user. Then you can use the User!UserID property in your report to filter out whatever you want. If you don't want to go down this path, the only workaround I can think of is to secure the report server web service to only talk to your application identity.
BrianWelcker at 2007-9-9 > top of Msdn Tech,SQL Server,SQL Server Reporting Services...
# 2
Hi Brian

Thanks for you reply. I've been away on holiday - longer than usual!

I believe I am right that a customer security extension requires the Enterprise version of Reporting Sertices and, therefore, the Enterprice version of SQL Server. The reports I am working on are to be hosted on a leased web and SQL servers on the internet, and the Enterprise SQL Server is not a viable option from a cost standpoint.

I will have a think about your idea of securing the report server web service and see what I can come up with.

Best Regards

David

DavidDante at 2007-9-9 > top of Msdn Tech,SQL Server,SQL Server Reporting Services...
# 3

Hi,

In previous versions of SQL Server, Enterprise edition was required for a custom security extension but that is no longer the case. SQL Server 2005 Standard Edition supports the custom security extension.

http://www.microsoft.com/sql/technologies/reporting/rsfeatures.mspx

Regards

Adam

Adam_C at 2007-9-9 > top of Msdn Tech,SQL Server,SQL Server Reporting Services...
# 4

Hi Adam

Thanks for that - I haven't got to grips with SQL Server 2005 in any substantial way yet due to current workloads. But I will definitiely check it out now...

Thanks again

David

DavidDante at 2007-9-9 > top of Msdn Tech,SQL Server,SQL Server Reporting Services...
SQL Server
SQL Server Reporting Services

SQL Server Hot Topic

SQL Server New Topic

SQL Server

Java / MSDN / Linux Tech / PHP Tech / MSDN DotNet / MSDN TECH / Health Library / Programmers Tech / visual basic Tech / Developer Tech / Ipod faqs / Msdn China Tech

Site Classified