SSRS user access to specific folders - sql-server

I'd appreciate if anyone could provide a clear description on SSRS user access configuration.
I've installed latest SSRS and its database on a single server, set the web portal and everything works fine, except I cannot grant access to a specific user group for a specific folder. Till now all the users have access to everything.
I've been struggling with this for several weeks and still couldn't find any tutorial.

Based on documentation Reporting Services provides an authentication subsystem and role-based authorization model. Authentication and authorization models vary depending on whether the report server runs in native mode or SharePoint mode. Here is detailed explanation called Secure Reports and Resources related to native mode and this one talks about Set Permissions for Report Server Operations in a SharePoint Web Application. Also this youtube tutorial and this one was helpful to get me started.

You have probably added the user group to a role using the Site Settings / Security page, or added them to the Home folder / Manage / Security page. A typical user group should not appear in either list.
Instead, navigate to the "specific folder" / Manage / Security page, click Customize security (if required) and then assign the user group to a role (typically Browser).
Here's the full doco on those tasks:
https://learn.microsoft.com/en-us/sql/reporting-services/security/grant-user-access-to-a-report-server?view=sql-server-2017

Related

Automatically deploy an Enterprise Application on AzureAD

I have a React Application that uses Microsoft AD to authenticate users.
As a first step, and according to Microsoft Documentation, we need to register the application with the Microsoft identity platform.
This is inline with Microsoft Identity Platform Documentation, in this diagram we can see that for ALL types of applications (SPA, Web App, etc), we always need to configure an application in AzureAD:
This process is "cumbersome", and i'm trying to remove it by having the application installed automatically.
Several third-parties do this, such as Zapier, SpecFlow, etc.
Basically, they have a process where:
User logs in on Zapier
User is redirected to Azure AD sign-in page
User is authenticated and authorized
AzureAD shows the Consent Page
User consents
Application is installed on user's AzureAD
I've been reading and searching in Microsoft's Documentation, and i cannot find a single document that shows or even mentions this type of flow.
BUT, i know that this is possible, as there are several third parties that are doing exactly this, as Zapier, for example.
Can anyone point me in the right direction, there must exist some Microsoft document that explains how this process is done!
Apologies if this should be a comment, not an answer. I do not have enough SO reputation to write comments.
Zapier is published to the Azure Active Directory application gallery (1c76d9b0-0826-4b19-8706-29572657af1e). You can do this as well:
https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/v2-howto-app-gallery-listing
If an application already exists in the gallery, it does not need to be "registered" in the user's tenant, as the registration definition is defined in the gallery.
Once an app is in the gallery, users can use it only if their tenant's administrators allow this, per the settings on this page:
Enterprise applications | User settings
https://entra.microsoft.com/#view/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/~/UserSettings
From the user's end, there are other governance controls that may impact the user's ability to use your app, but I think "register your app in the gallery" is probably what you're asking for.

Use Office 365 API to create a public read-only calendar Web page on a blog

I am using Office 365 to manage my calendars. I would just like to publish one of my calendars to my blog. Also, I would like to fully control the style of the calendar. I can enter API URLs into the browser and basic authentication to access my own calendars. So, I could do that from the server to build my calendar page using a server side http client. In this case, I don't really need the full power of OAuth2, which is mainly for letting multiple visitors manage their own content on a third-party site.
It would be nice if Microsoft's Office365 libraries would handle this scenario. It could also include a step where I register for a keys similar to the way Google Maps does. Or do they offer this already?
Does anyone know what steps to take so my scenario would work? Also, would I run up against any usage limits for a popular blog?
While the API is supporting Basic at the moment, that will eventually go away. You can definitely make your scenario work using the authorization code grant flow that's in place today, but it sounds like you may be more interested in the client credential flow which we are going to be releasing support for soon. That would allow you as the administrator of your Office 365 organization to authorize an app to access calendars in your organization without requiring user sign-in.
You register for client IDs and client secrets via Azure AD.
Azure AD is included with Office 365, and registering apps doesn't include any additional paid Azure services.
The client IDs and secrets obtained with the Visual Studio tool are permanent, and not just for debugging. Can you point me at the documentation that said otherwise so I can get it corrected? :)

Session Management in salesforce

We are trying to build one simple website using force.com sites.Here User logged into website and need to perform different actions by moving to different VF pages.
We are facing a Problem to maintaine Session of particular user. We need help regarding how to maintaine session for particular user.
Kindly give your help. Please provide any sample code.
Thanks.
You can't ;)
Think about it, you can store usernames/passwords in your data objects and if they allow you to login and maintain a session for that user and use it to walk around apex pages and builtin forms why would you buy a salesforce license? You could operate a 1000 employees rig with just one administrative license and a site URL. For that reason salesforce does not allow you session control, it grants you one when you buy and expense a license.
For sites, you have to purchase either Customer Portal license or volume-based High Volume Customer Portal set and then use those to "promote" a contact into a login user with the above license. Then, when that user logs into site it has its own session.
This document http://wiki.developerforce.com/index.php/Authenticating_Users_on_Force.com_Sites might be of great help.
This tutorial shows you how to authenticate users on Force.com Sites. It provides a description of Customer Portal, which is needed for the authentication, and shows you how to set up such a site and process to allow site visitors to become authenticated users.
The points on customer portal are correct, and you have to pay for these licences. If you build your own auth on Force.com Sites and salesforce.com finds out they'll be very unhappy. That said you can still do it using cookies (http://www.salesforce.com/us/developer/docs/apexcode/Content/apex_classes_sites_cookie.htm) but it's not perfect because it's client-side.
I highly recommend that you steer clear of this approach though. You're better off building your UI layer on another platform (Google App Engine or Heroku) and using web services created on the Force.com platform through that UI.

Edit User Account on SharePoint Server 2010/Project Server 2010 without AD

We have installed SharePoint Server 2010 and Project Server 2010 without AD. We're a disconnected bunch and thought we'd take it for a spin since being part of BizSpark. But now I'm seeing an issue with editing user account info like email address. Can anyone give me some hints on how life might be like without AD or how to supplement what we might be missing by running the system without AD. Many posts note it is supported but little has notes on what you might be missing.
Thanks in advance.
What you need is to check out the User Profile Service Application area.
Go to SharePoint Central Administration
Go to Manage Service Applications
Select User Profile Service Application
This area is the home of the accounts that are in SharePoint, as well as all the information about the users and how it is displayed on their "My Site"/profile page areas.
If you select Manage User Profiles, this is the area where you can override information from Active Directory about users that are in sharepoint. If you connect to AD, you'll see a little database icon next to the fields that indicates it is synchronized. Even if you use AD, these field can be individually overriden with new information. If you don't have AD, then these will all need to be populated manually by you.
If you go to Manage User Properties you will find all the options to show which fields are editable and which fields are not on a user's profile. This includes, but is not limited to:
Email
Display Name
Homepage/Url
Department
Manager
If you have AD, you'll rarely visit this service admin page, because everything will just work. If you don't, then you'll need to check out this area to change the information about the people that are using your SharePoint instance.
Hope that helps!

SharePoint 2010 - two web applications - single sign on --> do I need claims based auth.?

We are planning to create two sharepoint web applications using SharePoint 2010 Enterprise Edition.
All Users that have access to web app 1, should also be able to access web app 2.
This authentication shall be powered by server 2003 active directory.
--> do I need to use claims based authentication?
If so --> can I use Windows Based Authentication with NTLM for that?
The only thing I really want is that users navigating from web app 1 to web app 2 (and vice versa) do not have to authenticate twice.
I do NOT want to configure Kerberos if it is not absolutely necessare though...
Can you give me any hints?
Thanks!
EDIT:
ok - I'll try to be more precise:
In our SharePoint 2010 environment, we've got two web applications running
http(s)://humanresources.domain.com
http(s)://sales.domain.com
Both are running on the same IIS and have host headers configured (with wildcard domain certificate for HTTPS).
Both apps provide a link to the other web application (sales -> humanresources and humanresources -> sales)
Now whenever someone logged in to sales navigates to humaresources, I do not want that that person needs to login again. Therefore I thought I would need claims based authentication???...
Please enlight my brain! :D
EDIT 2:
Thank you for your answers!
#Panagiotis Kanavos - yes we have Users accessing the site from outside our environment: 1) Users which have an AD accound and are working on their laptops outside of our building (e.g.: they have been all day at a customer and are working at home for the remaining hours) 2) We plan to have users without an AD Accound --> Forms Based Authentication: (e.g.: customers accessing our TFS 2010 project protals to get an overview of the project). As far as I know, if you want FBA and WIN-Auth you need to configure Claims Based Authentication...
However configuring a Web Application with Claims Based Authentication did not work. I chose "Enable Windows Authentication" together with "Integrated Windows authentication -> NTLM" as we do not have Kerberos configured (and I'd love to leave it like that ;-)).
However the Users could not login to that application sometimes, and five minutes afterwards it worked. Additionally, when I added permissions to an AD user, SharePoint seemed to save the Token instead of the Group-/Account Id:
e.g.: Instead of MyDomain\user1 it saved something like "0|=MyDomain\user1" and for groups it even only saved weird character strings "022-12.3"
Could it be the case, that my 2003 windows AD does not support that?
IF you are using Active Directory and running both sites within your domain you should not be challenged when users go to either site. It just becomes an implementation issue about who has access to what, either via AD Groups or SharePoint groups.
Claims based authentication is a bit of a different animal. You need to have a security token which contains a number of "claims" about the user, for example UserA is a member of HR and UserB is a member of Sales. Based on these claims you can then have your site/application respond correspondingly. Claims based auth is relatively new for SharePoint and Microsoft and is a bit of steeper learning curve. It may make more sense if you have a mixed mode environment, with both AD and Forms Based Users getting access. However with your described heterogeneous environment it doesn't seem like it's needed.
More info on SharePoint 2010 Authentication is available here.
John
The easiest solution is to create an AD group with the users of both sites and add the group as a user to the Members Sharepoint group of each site. This way users will not have to login at all since Sharepoint will detect the identity of the logged-in user automatically.
Why are you asking about login, claims, and why are you using certificates? None of this is necessary in an intranet scenario where the farm and users are in the same domain or if the farm's domain trusts the user's domain. Do you have users accessing the site from outside your domain?

Resources