Row Level Security on Shared data set SSRS - sql-server

I'm looking for a way to filter the data to employees something like create a "user to Client relationship", the problem is this is after the fact,I have 100+reports that already exist and I don't want to edit each one, I use a shard Data source, can i somehow implement RLS on that source ? or maybe use ssas RLS in conjunction.
SQL server 2012 enterprise,
Thank you

One solution which comes to my mind is to add to each shared dataset a part which will filter rows based on domain user name.
This will require that:
User running SSRS report will have to have access to SQL Server
You would have to build tables to define access right (if you do not have already)
If you would be running SQL Server 2014 and onwards you could use built in RLS. You would have to define access right and create access control function. Still you have to have some kind of data store which will help you to determine what is visible to each user - more details on RLS here.

Related

Import Active Directory to SQL Server

I'm working on a Microsoft BI project.
I am currently in the process of connecting my systems to SQL Server. I want to connect my Active Directory to a table in SQL Server and I want to sync to one table per hour. This means that every hour the details of the Active Directory will be updated.
I realized that it is necessary to use SSIS to do this I would be happy for help to connect my AD to SQL Server with the help of SSIS.
There are two routes available to you to sync AC user classes to a table. You can use an ADO source in an SSIS Data Flow Task or you can write custom .NET code as part of a Script Source. The right answer depends on your team's ability to maintain and troubleshoot a particular solution as well as the size of your AD tree/forest. If you're a small shop (under a thousand) anything is going to work. If you're a larger shop, then you need to worry about the query mechanism and the total rows returned as there is an upper boundary of how many results can be returned in a single query. In that case, then a script task likely makes more sense as you can more easily write a query to pull all the accounts that start with A, B, etc. I've never worked with Hebrew, so I assume one could do a similar filter for aleph, bet, etc.
General steps
Identify your domain controller as you need to know what server to ask information from. I do not know how to deal with Azure Active Directory requests as I believe it works a bit different there but haven't had client work that needed it.
Create a Connection Manager for ADO.NET . Use the ".Net Providers for OleDb\OLE DB Provider for Microsoft Directory Services" and point that to your DC.
Write a query to pull back the data you need. Based on the comment, it seems you want something like this
SELECT
distinguishedName
, mail
, samaccountname
, mobile
, telephoneNumber
, objectSid
, userAccountControl
, title
, sn
FROM
'LDAP://DC=domain,DC=net'
WHERE
sAMAccountType = 805306368
ORDER BY
sAMAccountName ASC
Using that query, we'll add a Data Flow Task and within it, add an ADO.NET Source. Configure it to use our ADO.NET Connection manager and use the above query (adjusting for the LDAP line and any other fields you do/don't need)
Add an OLE DB Connection Manager to your package and point it to the database that will record the data.
Add an OLE DB Destination to the Data Flow and connect the output line from the ADO.NET Source to this destination. Pick the table in the drop down list and on the Columns tab, make sure you have all of your columns connected. You might run into issues where the data types don't match so you'll need to figure out how to handle that - either change your table definition to match the source or you need to add data conversion/derived columns components to the data flow to mangle the data into the correct shape.
You might be tempted to pull in group membership. Do not. Make that a separate task as a person might be a member of many groups (at one client, I am in 94 groups). Also, the MemberOf data type is a DistinguishedName, DN, which SSIS cannot handle. So, check your types before you add them into an AD query.
References
ldap query to get disabled user records with whenchanged within 30 days
http://billfellows.blogspot.com/2011/04/active-directory-ssis-data-source.html
http://billfellows.blogspot.com/2013/11/biml-active-directory-ssis-data-source.html
Is there a particular part of the AD that you want? In any but the smallest corporations the AD tends to be huge. Making a SQL copy of an entire forest every hour is a very strange thing that may have many adverse effects on your AD, network, security and domain-wide performance.
If you are just looking to backup your AD, I believe that there are other options available, specific to the Windows AD (maybe even built-in, I'm not an AD expert).
If you really, truly want to do this here is a link to get you started: https://social.technet.microsoft.com/Forums/ie/en-US/79bb4879-4d82-4a41-81a4-c62afc6c4b1e/copy-all-ad-objects-to-sql-database?forum=winserverDS. You can find many more articles on this just by Googling "Copy AD to Sql".
However, heed the warnings well: the AD is effectively a multi-domain-wide distributed database, attempting to copy it into a centralized database like SQL Server every hour is contra-indicated. You are really fighting against its design.
UPDATE Based on the Comments:
Basically you've got too much in one question here. Sql Server, SSIS and the Active Directory (AD) are each huge subjects in and of themselves and the first time that you attempt to use all of them together you will run into many individual issues depending on your environment, experience and specific project goals. We cannot anticipate all of them in a single answer on this site.
You need to start using the information you have from the following links to begin to implement this yourself, and then ask specific questions as you run into problems along the way.
Here are the links that you can start with,
The link I provided above from MS: https://social.technet.microsoft.com/Forums/ie/en-US/79bb4879-4d82-4a41-81a4-c62afc6c4b1e/copy-all-ad-objects-to-sql-database?forum=winserverDS
The link that you provided in the comments that explains how to setup ADSI as a linked server and how to use T-SQL on it: https://yiengly.wordpress.com/2018/04/08/query-active-directory-in-sql-server-with-linked-server/
This one explain how to use AD from within an SSIS DataFlow task (but is limited to 1000 rows): https://dataqueen.unlimitedviz.com/2012/05/importing-data-from-active-directory-using-ssis/
This related one explains how to use AD within an SSIS Script task to get around the DataFlow task limits: https://dataqueen.unlimitedviz.com/2012/09/get-around-active-directory-paging-on-ssis-import/
As you work your way through this you may run into specific problems, which you can ask about at https://dba.stackexchange.com which has more specific expertise with Sql Server and SSIS.
Based on your goals, I think that you will want to use a staging table approach. That is, use your AD/Sql query to import all of the AD users records into a new/empty temporary table that has the same column definition as your production table, then use a Merge query to find and update the changed user records and insert the new user records (this is called a Differential or Type II update).

Crystal Reports can access tables, but not views

I've written a Crystal report that primarily works from a temporarily MDB file that is created on the fly in an Application (which I do not have access to source code for).
I need additional data, so I linked to a secondary MSSQL database where I store more information.
I was able to add tables from this SQL database to my report, and link to them with no trouble. But when I try to include views in this same SQL database in this report, I get a "Logon Error".
My first thought was that is is a permission issue, but I haven't set permissions for specific tables and views in this database, only permissions to the entire database.
Frustratingly, I don't see any errors in the SQL logs for the database.
Does anyone have ideas on what I can check to get this fixed?
Just To Clarify: I can see these views in the Crystal Report, and I can add them, add fields to the report, and create links. I can even Browse Data in fields within the view in Crystal. It's only when running these reports from the 3rd party application that I get an error.
Is SQL Server set to use NT Authentication? If so, the 3rd-party application is probably running under a user context that doesn't have permissions.

Getting Data from an Oracle database to SQL Server

I am a SQL Server database developer. We have a current requirement that we need to link our product with an existing application of a client. Our product has a SQL Server 2012 database while the client's existing application uses Oracle 11g. Since the time limit for the project completion is limited we cannot migrate our application to Oracle.
The requirement is that we have to get the customer details from the Oracle database to do billing activities in our system.
So I went through a few links and found that SQL Server linked server can be used to do this. I have successfully created a view which uses the Customer table from the Oracle database using a linked server. It will solve our problem.
Now here are my questions:
Is there any better solutions to do this other than linked server?
Are there any drawbacks when using linked server for this?
Thanks in advance
One drawback to consider is that the filtering on your view may take place at "your" end, rather than in Oracle. e.g. if you have a linked server (using, say, an OPENQUERY statement) and a view based on that and you do this:
select id from myView where id = 4711
expecting that the result will be very quick (assuming id is indexed etc.etc.), then you may be in for a shock as what will actually happen is:
the entire contents of the Oracle table are passed to SQL Server
SQL Server then filters this data, i.e. the filtering cannot be "pushed
down" into the view objects (as they are remote).
N.B.: I know there are two ways to define linked server (openquery and the other one, I forget the details), so this may not always apply, but you should be aware of the potential performance hit.

Copy access database to SQL server periodically

I have an access 2003 database that holds all of my business data. This access database gets updated every few hours during the day.
We're currently writing a website that will need to use the data from the access database. This website (for the time being) will have only read only capabilities. Meaning there will only need to be one way transfer of data (Access -> SQL).
I'm imaging there's a way to perform this data migration from access to SQL server programatically. Does anyone have any links to something I can read about?
If this practice sounds odd, and you'd like to suggest another way to do this (or a situation where data can go both ways (Access -> SQL, SQL -> Access), that's perfectly fine.
The company is going to continue using Access 2003 for their business functionality. There's no way around that. But I'd like to build the (readonly) website on top of SQL Server.
The strategy you outlined can be very challenging. You could use INSERT queries to copy new Access rows to SQL Server, as described in another answer.
However, if you have changes to existing Access rows, and you also want those changes propagated to SQL Server, it won't be so simple. And it will be more complicated still if you want deleted Access rows deleted from SQL Server, too.
It seems more reasonable to me to use a different approach. Migrate the data to SQL Server once. Then replace the tables in your Access database with ODBC links to the SQL Server tables. Thereafter, changes to the data from within your Access application will not require a separate synchronization step ... they will already be in SQL Server. And you won't need to write any code to synchronize them.
If your concern is that the connections between the web server and SQL Server be read-only, just set them up that way. You can still independently allow read-write permissions for your Access application.
To do the initial data migration and set the SQL Server automatically, I would use the SQL Server Migration Assistant. The only thing you should definitely change that I can think of would be to turn off the Identity property on any columns that have it - to be explained below (MS Access calls Identity autonumber). Once you have your tables loaded, you can set up a dsnless connection to the database (and tables) you just created.
I haven't used the method just linked, but I believe it allows you to use SQL Server authentication to connect to the db. The benefit of using this method is you can easily change which SQL Server instance and/or database your are connecting to for development and testing.
There might be a better, automated way, but you can create several insert queries doing left joins from the primary key of the Access table to the SQL Server table, and putting a WHERE clause that specifies the SQL Server PrimaryKey must be null. This is why you need to turn off the Identity property in the SQL Server tables, so that you can insert the new data.
Finally, put the name of each query in one function, then run the function periodically.
I have used Microsoft's free SQL Server Migration Assistant (SSMA) to migrate Access to SQL Server. The tool is very simple to use. The only problem I have encountered with the tool was overloaded data types when migrating. What I mean by this is a small string will get converted to a NVARCHAR(MAX) in some instances. Otherwise, the tool is very handy and can be reused after setting up a 'profile'.

Keep Sql server table updated from Access table

I am attempting to keep a table in Sql server updated from an access table. Any time a change is made in the access table I would like that change reflected in the sql server table. The two tables can be identical. I have created an ODBC connection from access to sql server and can export the table to sql server; I just don’t know what must be done to keep that table updated. Any suggestions are appreciated.
Should this be implemented from within Access or within sql server?
Can you just add the SQL Server table to the Access database as a linked table? (Useful article on how to add linked tables)? That way users (let's hope there's not many!) of the Access database are in effect editing the SQL Server table directly.
If this isn't desirable then how about creating another table in the SQL Server database, and adding this to the Access database as a linked table. Then, add a trigger so that when an insert/update/delete is made to this table the same operation is done on your main table.
I think setting up a Linked Server in SQL Server could be easier to implement than an automatic export of data from Access.
According to the MSDN page,
Many types OLE DB data sources can be configured as linked servers, including Microsoft Access and Excel.
Server-on-SQL-2005-Server/
Access has no "event" that occurs when a row is updated/inserted/deleted that I know of. as JeffO points out data macros that could do what you want.
You could also periodically synch them. There are several techniques to periodically do the synch task (SQL Server Agent, Windows Service, Windows Scheduler, a timer in an application etc.), but still have to deal with all the problems that exist with synchronization if both tables can be modified, the worst being data conflict resolution. There is no easy solution for that.
Perhaps if you explained the problem you have that you are solving with synching data in SQL server and Access someone might be able to point you in the direction of a solution that doesn't have these problems.

Resources