on SQL Server Reporting Services, I have the below requirnment for a report
Users are authenticated for Reporting using Active Directory (windows domain accounts)
We have an custom authentication DB and the data that should appear on the report are related to users on this Authentication DB
Need to generate a report that list Sales data for all the stores, and "all data" should only be available to "Admin" users
For "Non Admin" users, same report should only display sales data for the single store that they are associated with. (Not the whole list of sales data for all stores)
Definition of "Admin", "Non Admin" user categories are defined on the custom Authentication DB.
Really appreciate if someone could give me the directions on what approaches I should follow.
Please let me know if I should further clarify my requirements.
Thanks.
In SSRS you can access the User ID (=User!UserID). Set this up as an internal parameter for the report, and pass this into your dataset queries as a parameter.
Now you can join to your custom permissions table in your dataset queries.
Use a query constructed with this method to populate your parameter drop down for "Store."
Also use the parameter again and double check that the user has permissions in your main query that returns results. This will avoid a user being able to manually specify a store that they don't have permissions for. (Otherwise URL access would allow users access to reports they shouldn't get.)
Let me know if any of this isn't making sense.
Related
I have an SSRS report used by many users from different regions.
Is it possible to show/hide information based on region without
using parameters - we are using a single report?
Is it possible to give report permissions to users who are outside
of network(Company)?
Without using parameters how do you intend deciding which information to hide or show?
If (big IF because you haven't said why you cannot use parameters) what you want to do is possible then you are going to
have to
Create separate folders for each class of user.
Set the permissions on those folders so that they can only see their
own folder.
Put a copy of the report in the folder.
Have a hidden parameter which passes the class of user into the
report OR
Pass in the current windows authenticated user into the report and
report on class of user from the windows login.
In answer to your second question - Yes- you will need to set up Forms Authentication.
I have created an SSRS report which I am using in Asp.net website. Reports accepts server, database,user and password to create connection string dynamically. Dynamic connection string is required because user can select a database at the time of log-in and that database need to be used for SSRS.
One requirement is such that user should be able to create SSRS report himself. For the purpose I provided guideline that how to create parameters that are require data-source's dynamic connection string.
One possible problem I thought is if user do not make parameters as hidden, he will have database credential in clear text.
I thought of adding encryption at asp.net website and decryption in SSRS report but decryption function/code will be easily accessible at the time of designing.
Any idea how to overcome the situation?
I suggested that the OP should read the following documentation:
Specify Credential and Connection Information for Report Data Sources
This were the remarks made by the OP:
Prompt the user for credentials :Not possible because some users can view report with provided website user/password. He will have no idea about DB.
Store credentials: Not possible because user will see data in website as well as in report by database selected at the time of log-in. Database selection option is given at the time of log-in in website because there would be more than one database. so one report will show different data based on selected DB by the user.
Use Windows integrated security : Not possible because most of our client are not allowing use to use integrated security for database access. we need to use their provided credentials for all database access.
Use no credentials : we need to use client provided credentials for all database access. Correct me if i missed something from that article
This is my response and answer to the presented problem:
You require a user to login to your website, as soon as the user is logged in you should be able to know who this user is. This also means that you can give a user specific rights/access to your application.
So you can use the Stored Credentials and more specifically use the Integrated Security.
Type | Context for network connection | Data Source
-------------------- | -------------------------------- | -----------------
Integrated security | Impersonate the current user | For all data source types, connect using the current user account
I believe the following documentation might be exactly what you're looking for.
How to: Secure Connection Strings When Using Data Source Controls
I would strongly recommend creating a new table containing data that specifies the different access levels to then have a junction table with the user table. This will make it easy to determine which user has access to which report and allow for an easy implementatuon of the Integraded Security.
Is there a way to provide generic permissions for users to run reports stored in the Report Manager? I can see how to provide access on an individual user basis via Manage -> Security -> New Role Assignment, by adding the User's Windows login name and assigning them to the Browser role for the report. (Report Manager already knows the domain name).
However, we don't want to be continually having to manage this for each new user. I want anyone under that domain name to have access without needing to configure it. I had hoped that just adding the domain name as a 'user' to the Browser role for that report would do it, but to no avail.
You can add any domain group that has been set up, not just individual users, or you can simply add all domain users, i.e. MYDOMAIN\Domain Users to the Browser role, which seems to be what you're after.
However, I would recommend creating a generic user group like MYDOMAIN\SSRSReportUsers or something like that and adding this group to the browser role instead of MYDOMAIN\Domain Users, as adding all users to the Report Server seems like it doesn't give you many options to manage this in any sort of granular way.
I have some dashboards with Reporting Services and SharePoint, some need parameters some of them do not need parameters. I want to create something standard(I've think in a standard report) that receives all the possible parameters of the dashboards.
My idea: In my report will exist a button with the name Suscribe, this button displays a report or form that will receive all the important parameters directly from the report that called it, in this new report or form the user will choose the periodicity, write his mail and/or a CC.
I've seen some examples, but this examples need to create a subscription before hand, and I have more than 100 reports and differents users can create differents subscriptions.
http://www.sqlservercentral.com/articles/Development/datadrivensubscriptions/2432/
http://www.sqlservercentral.com/articles/Development/2824/
I appreciate your help.
If you are using Sql Server Enterprise Edition then you have support for data driven subscriptions in which case you can define sp's or a query that returns email addresses for the given report. If you are not using EE the data driven subscriptions are not supported:(
Is it possible to manage report permissions by using Active Directory? For example, I have an employee performance report. Employee can open the report by choosing his/her name from the dropdown parameter. This parameter dropdown lists the all employee names. However, most of the employees must see just their names in that dropdown. It must be forbidden to see other employees names. Moreover, the department heads must see the all employee list in that dropdown. How can I make a solution for this?
The best way to do this is by using the built-in User!UserID field, which returns the credentials of the person running the report. If your users are accessing SSRS using their Windows domain credentials, then User!UserID will return as string that looks like DOMAIN\userid. As long as you have somewhere in the database where you can link the user's Windows login to their name, then you can use that to restrict the dataset that returns the parameter dropdown (either as a SQL parameter or as an SSRS dataset filter).