As we all know that SSRS user can be created using Reporting Manager which can be accesses by the url given in Reporting Service configuration manager utility.
But, my requirement is to create a new SSRS user using a Query. I just want to know whether it is possible to do so or not. If yes, how?
something similar to this should work.
USE ReportServer
GO
IF NOT EXISTS (SELECT * FROM master.dbo.syslogins WHERE loginname = N'loginname')
CREATE LOGIN [loginname] FROM WINDOWS
GO
CREATE USER [loginname] FOR LOGIN [loginname]
GO
You can not create users using the Report Manager URL. The permission management/Role assignment only can be done through it.
Adding Login/User to [ReportServer] database does not mean that user can access the reports.
The Group or user name should be a Windows domain user or group account in this format: <domain>\<account>.
https://msdn.microsoft.com/en-us/library/ms156034.aspx?f=255&MSPPError=-2147217396
There is a way to achieve your requirement of checking users' access in a query. First, in Report Manager, give all users the "Browser" role (for example, "NT AUTHORITY\Authenticated Users"). Then, pass the current user of the report to your database query.
The current user of the report can be retrieved with report expression User!UserID. In my environment, this is returned in the form <DOMAIN>\<WINDOWS USER NAME>. See MSDN Built-in Globals and Users References (Report Builder and SSRS) for more info.
Related
Suppose I have a login metamanager\test which shows when I execute T-SQL, but it is not there when when I expand Security -> Login in SSMS.
Same with a database user.
I try to replicate but failed
use master
select * from sys.syslogins is used for login
use DB
select * from sys.sysusers is used for database user
A LOGIN and a USER are completely different objects.
A LOGIN is a server object, and appear in sys.syslogins, as you see.
A USER is a database object, and for a LOGIN to have access to a database, it needs to have a USER mapped to the LOGIN in that database. A LOGIN with no mapped logins in any databases, and without any server level roles, will be unable to access any of the database on the instance, apart from those that the public roles has in tempdb and master.
It appears, here, you need to create the user in the database, and then give it the appropriate permissions. You can create the USER with the following:
USE {YourDatabase};
GO
CREATE USER 'metamanager\test' FOR LOGIN 'metamanager\test';
You'll need to give it the appropriate permissions afterwards.
Also, after you have created the user, ensure you have refreshed your object explorer. Object explorer doesn't automatically refresh after you create an object.
Not sure if you explaining it correctly, but syslogins and server_principals are about the same. Only the difference that server_principals include "Roles".
As far as I know it is impossible to have something in syslogins, which does not exist in server_principals.
I've been trying to figure out how to add a new user,
but I haven't managed to figure it out so the new user will have access to only a specific database without being able to see the whole server / users / databases.
Any help will be apperciated
thank you!
To add a new user who have access to only 1 database, you need to create a new login and add a user mapping to that login for the database you want,
to do this, open MSSQL Management Studio, on the left panel, expand your server by click on the checkbox and select security then Logins.
Then, right click on the logins box and select new login.
On the new login window, provide login name(user name) and authentication type, then there's select page tab on the left side, then select user mapping and add the database you want to that user, also remember to add object to default schema of that database.
USE Databasename ;
CREATE USER username WITH PASSWORD='passwd';
GRANT ALL ON Databasename TO username;
If you are on SQL Server 2012 and higher, Contained Databases is what you are looking for.
Making a database contained, you give it the ability to authenticate a user (not login), and the users of contained database will see nothing at the server level, no other databases will be visible to them.
Does anyone know if there is an easy way to bypass the standard windows authentication used to access published reports in the report website front end.
I know about the different authentication methods, RSWindowsNegotiate, RSWindowsKerberos, RSWindowsNTLM and RSWindowsBasic. I also know there is the custom authentication option where I have to go and create my own Login ASP.net page.
The issue is I am trying to set up a role for a user to limit what the user can see and do in the front end without adding another user to the windows active directory.
So the user must be able to log in with their own username and password and only be able to view what their permissions are set to.
Is there a simple way to do this?
I would not call it a simple way, but there is a way to do this. Check out this article on SQLServerCentral: How to Setup Report Parameters to Default Based On User Credentials
It describes the following steps to implement this:
create a report users table in your sql server database
create a UserID parameter
adapt your report queries to identify the user and use that
information to show only permitted data
My team has a service deployed internally, and part of this service is a list of client accounts stored in a sql table. SSRS is hosted on another server and we have integration jobs which [will eventually] pull these client accounts (along with additional info) from our 3 production environments to this SSRS database.
Also on this SSRS database, I’m creating a new table that will be a mapping of domain accounts and client accounts. I need this table so I can filter my report based on which client accounts the logged on user is allowed to see.
Pretty simple so far.
The next requirement of this is that I need to restrict access to the report itself. I understand I could normally use a security group to do this, but that would result in two separate locations to manage permissions for one resource and this is what I want to avoid.
The solution I’m looking into is to create a security extension to validate the logged in user against the database, allowing them access to the folder/report if they exist in the table. Once in, I can then use that same table again to filter their results.
What I’m not sure of is 1) if this is the best solution and 2) can I use a security extension for just MY portion of the site. There are many other users and reports on this site that I don’t deal with and don’t want to conflict with those.
Could you fill the DB table automatically from AD? Then you can use the standard windows security, but still only do the administration in Active Directory.
link text
You could set up an internal report parameter, called something like UserID, and set its default value to be the non-queried expression =User!UserID . (This user ID can be selected from the list of globals in the Edit Expression dialog.)
You could then add a cartesian/cross join to your users table in your query, with a selection condition based on your internal report parameter - eg. ...and UserTable.ID = #UserID . This would ensure that no records were returned if an unauthorised user was running the report.
Note that the User!UserID field will only return the user for interactively-run reports - in scheduled reports, this will be the account for the scheduling service.
Can't you restrict access to the report by using a security group (either in it's own folder or report level permissions). Use windows authentication in your datasource connection and filter you report retrieving your username using the sql function ORIGINAL_LOGIN?
I have a web application, which is using a SQL Server 2005 database.
My problem is, that the application has no role management. So the application always accesses the database with one default user. But now I have to save and access a value only for the current user.
Is there any way to do this? Maybe something like a session on the web server? The best way would be, if there is any possibility to access the current session id of the web server from T-SQL.
Do anyone understand my problem? :)
Allows a system-supplied value for the current login to be inserted into a table
DECLARE #sys_usr char(30);
SET #sys_usr = SYSTEM_USER;
SELECT 'The current user is: '+ #sys_usr;
GO
from MSDN
In my opinion, it's better don't do this. Another way: send to stored procedure current user from web sever:
command.CommandText = "EXEC mySP #user";
command.Parameters.Add("#user").Value = ((YourOwnUserClass)Session["user"]).Name;
// or System.Web.HttpContext.Current.User.Identity.Name; to use built-in
// from web page it becomes this.User.Identity.Name;
If you are using Windows integrated authentication instead of SQL accounts:
Give schema object permissions to a Windows group, not a user. Then add all of your application users to this group.
Use the built-in SUSER_NAME() function to retrieve the underlying Windows user name (in loginDomain\userName format.