Does anyone know if there is an easy way to bypass the standard windows authentication used to access published reports in the report website front end.
I know about the different authentication methods, RSWindowsNegotiate, RSWindowsKerberos, RSWindowsNTLM and RSWindowsBasic. I also know there is the custom authentication option where I have to go and create my own Login ASP.net page.
The issue is I am trying to set up a role for a user to limit what the user can see and do in the front end without adding another user to the windows active directory.
So the user must be able to log in with their own username and password and only be able to view what their permissions are set to.
Is there a simple way to do this?
I would not call it a simple way, but there is a way to do this. Check out this article on SQLServerCentral: How to Setup Report Parameters to Default Based On User Credentials
It describes the following steps to implement this:
create a report users table in your sql server database
create a UserID parameter
adapt your report queries to identify the user and use that
information to show only permitted data
Related
I am working on a company project, in which it contains a data processing system and this system was previously written separately for each bank and have their own project file, and each of the project has their own database that store the user credentials for them to login using their id and password.
Now we need to merge all the projects together so that it only login via a single login page, but i am wondering how am i going to do this because the data, especially the login credentials is stored in different databases. How should I pass data from a database to another database to perform validation?
Assuming these are SQL server logins, You will probably have to build a database with an availableDB table listing the available databases. Let the user choose a database, then try to open that database using the specified credentials, kicking him/her back to the choose-a-database point in the application.
If that doesn't answer your question, we'll need a little more information: architecture, desired interface, etc.
Hope this helps.
Why Dont You Use a drop down on login form with Every bank name listed in Drop Down. After selection of bank, use if and else statements to populate selected bank database.
I have created Winforms application which stores some sensitive data like username and password.
The system used by many users. I am using SQL Server Express for storing data.
The application downloads data from a remote server by sync framework. I want to create only one user for that database so I can sync that database.
My problem is that I want to hide the database from all users which are using the application and also from the sa & Windows authentication accounts. So no one can see the other usernames or passwords.
How can I do this?
If I understand well, be best way to do it is :
keep one administrative login (one login that is member of sysadmin). It will be you. You need at least one admin.
disable sa : ALTER LOGIN [sa] DISABLE;
for all other logins, add them as users in the database, but don't give them any permission. They won't be able to see anything
use an application role (which is deprecated) OR create a user without login and use EXECUTE AS (which is the new way to go): you can learn more about it here : http://msdn.microsoft.com/en-us/library/bb669062(v=vs.110).aspx and http://msdn.microsoft.com/en-us/library/bb669087(v=vs.110).aspx. That will allow you to set other permissions for your users only when the conect through the application.
I am creating an Access project linked to a SQL Server. Instead of using Windows authentication for the SQL Server I want to use an application specific username/password and authenticate users myself using a login form. The reason is that other applications may connect to this database from a context where Windows authentication is not an option (FileMaker Server for instance).
I have found myriad discussions that cover this issue from one angle or another, but none that have actually enabled me to implement a solution. I do not have a lot of VBA or LDAP experience but I know this must be possible.
So, what I want to do is:
Ask the user for a username and password when they open the database.
Use that username and password to authenticate them
against our LDAP server.
Proceed if it passes, fail if it does not.
Can someone sketch out how this works or point me to a resource that describes this?
One way to accomplish this is to create a VBA procedure which loops through all of your linked tables and alters the connection string to embed the username and password from a login form.
You can get the syntax for the existing ODBC linked tables by going to the debug window and typing this:
? CurrentDb().TableDefs("My Table Name").Connect
Which should give you something similar to:
ODBC;DRIVER=SQL Server;SERVER=MYSQLSERVER001;UID=JPARKER;PWD=Pizza123;APP=2007 Microsoft Office system;DATABASE=MyDatabaseName
So your login form would capture the user name and password from the user, then store those as variables and use to build a new connection string. Then iterate through the tabledefs collection updating the connect property. Happens pretty quickly.
My team has a service deployed internally, and part of this service is a list of client accounts stored in a sql table. SSRS is hosted on another server and we have integration jobs which [will eventually] pull these client accounts (along with additional info) from our 3 production environments to this SSRS database.
Also on this SSRS database, I’m creating a new table that will be a mapping of domain accounts and client accounts. I need this table so I can filter my report based on which client accounts the logged on user is allowed to see.
Pretty simple so far.
The next requirement of this is that I need to restrict access to the report itself. I understand I could normally use a security group to do this, but that would result in two separate locations to manage permissions for one resource and this is what I want to avoid.
The solution I’m looking into is to create a security extension to validate the logged in user against the database, allowing them access to the folder/report if they exist in the table. Once in, I can then use that same table again to filter their results.
What I’m not sure of is 1) if this is the best solution and 2) can I use a security extension for just MY portion of the site. There are many other users and reports on this site that I don’t deal with and don’t want to conflict with those.
Could you fill the DB table automatically from AD? Then you can use the standard windows security, but still only do the administration in Active Directory.
link text
You could set up an internal report parameter, called something like UserID, and set its default value to be the non-queried expression =User!UserID . (This user ID can be selected from the list of globals in the Edit Expression dialog.)
You could then add a cartesian/cross join to your users table in your query, with a selection condition based on your internal report parameter - eg. ...and UserTable.ID = #UserID . This would ensure that no records were returned if an unauthorised user was running the report.
Note that the User!UserID field will only return the user for interactively-run reports - in scheduled reports, this will be the account for the scheduling service.
Can't you restrict access to the report by using a security group (either in it's own folder or report level permissions). Use windows authentication in your datasource connection and filter you report retrieving your username using the sql function ORIGINAL_LOGIN?
I'm having a problem with my SSRS 2008 configuration at the moment. This is how we are currently set up.
1 server hosting SQL Server and SSRS, no integration with sharepoint etc. Users access the SSRS web application, and then from there they access the "Report Builder 1.0" too, which they can use to create and run reports based off a reporting model.
This is all done using Windows Authentication - so they login with their domain account to the web application, and then again when loading the Report Builder. Each domain user is configured to be able to login to SQL Server rather than using a generic SSRS account, and all of the above works fine.
The way this is setup means that you can always tell which individual user is logged in and running reports - either to the website or when running reports through report builder. This is a requirement of this application as all users will see slightly different versions of the data models (this is controlled by the underlying views, based off the domain account running the query). So Tom may get 100 rows back from his query but Harry will only get 50, etc.
The Datasource is setup to use integrated security (Which passes through this domain account to SQL Server).
My problem comes when a user creates a report in report builder, and then saves it to the server. When they login to the web application and run the report there - it works fine, but when they try to setup an email subscription, they get this message:
"Subscriptions cannot be created because the credentials used to run the report are not stored, or if a linked report, the link is no longer valid"
A bit of research leads me to think that this is down to the integrated security settings, as for some reason SSRS is ignoring the currently logged on user account or cannot use that to setup the subscription.
Everything works if I set the datasource to use a specific account - but then that breaks the data filtering based on user account (obviously, as it would now be just using one account for everyone!).
Any ideas for how I can approach this? Is there a configuration setting that I can play with to try and get this working using integrated security? Any help/comments are appreciated!
To create a report subscription you must meet a few reqs:
First is,
A report that can run unattended (that is, a report that uses stored credentials or no credentials).
To do what your wanting to do I suggest you setup data driven subscriptions. Heres a link to get you started. Data Driven Subscriptions Theres also several good videos of the basic setup. Like this one sqlLunch #8
Here's another walkthrough that's pretty decent: Walkthrough
Hope any of this helps ya.
Thats a nice one to have in your tool belt as well.
If you just drop the subscribed report into a file share instead of emailing it, the users can fill in their username and password, so it will run as them. The only problem with doing it this way is when they change their password, they will need to go and put the new password into the subscription again.
I guess they could have another account with a password that wont expire to run the report as, but that's probably not good practice
what you could do is have the list of users in a table in the database with what they're permissions are, then set up a data-driven subscription to get the list of users and get their permissions and filter the report accordingly.