I am trying to use a very easy and simple feature of a reportmodel, model item security.
In my example i have two users; HGHJohn and HGHJKooi
I want to test if I am able to restrict access in the model to a whole entity. HGHJKooi shouldn't be able to see the entity 'Customers'.
These are the steps I executed:
1. In Sqlserver management studio I opened the properties of my model and navigated to the tabpage 'model item security'.
2. I activated the option 'secure individual model items...'
3. In the root of the model I declared two users(groups) as specified above
4. Automatically all nodes inherit these settings from the root.
5. For the entity 'Relations' I change the default, by selecting 'use these roles for each group or user account'
6. I removed HGHJKooi from this list, leaving only 'HGHJohn as model item browser
What I expected at this moment is that when I login the system as HGHJKooi, then I won't see this entity, but I still can! Does anybody know a solution to this problem?
I have posted this issue for a week, haven't got any reply yet, I posted it again and desperately need your help.
The article http://msdn2.microsoft.com/en-us/library/ms365343.aspx says: Model Item Security can be set for differnt security filters, but when I use SQL Server Management Studio to set Model Item Security, it seems "Permissions" property surpass "Model Item Security" property. -- My report server is using Custom Authentication.
For example, in "Permissions" property of the model, if I checked "Use these roles for each group or user account" without setting any user or group, no matter what users I added to "Model Item Security" with "Secure individual model items independently for this model" checked, NO one user can see the model on report manager and report builder;
in above situation, if I added "user1" and gave role such as "Browser" role to "user1" in "Permissions" property, if I checked "Secure individual model items independently for this model" in "Model Item Security" property, even I did NOT grant "user1" to root model and any entities under the model, the "user1" is able to access the model and all entities in report builder.
My question is on the same report model, how to set "AdminFilter" (empty security filter) for administrator permissions and set "GeneralFilter" (filtered on UserID) for general user based on their UserID?
The article also says:
"Security filters are always applied, even for users who have Content Manager or Administrator permissions to the model. To allow administrators or other users to see all rows of an entity on which row-level security is defined, you can create an empty security filter (which always returns True) and then use the filter to grant those users access to all the rows."
So I defined 2 filters "GeneralFilter" and "AdminFilter" for "Staff" entity for my report model "SSRSModel", I expect after I deployed the report model, the administrator users use report builder to build reports with all rows available, and the non-admin users can only see rows based on their UserID.
I can only get one result at a time but not both:
either the rows are filtered or not filtered at all, no matter how I set the "SecurityFilter" for the entity: I tried setting both "AdminFilter" and "GeneralFilter" for SecurityFilter at the same time, combination of "DefaultSecurityFilter" and "SecurityFilter", or one at a time.
Hi I just deploy a report model and want use report builder to create ad-hoc using this report model. I want some entitis and attributes are not visiable for some user, so I config the model item security for this model. But no matter which user I use to login the report server, I always can access all the entities. Even I delete all the groups and users in "Permissions" property of the model, I still can access this model through report builder. All the user I used to test are local user of server with report service, my server is SQL Server 2005+SP2.
While building Report Model Solution in Business Intelligent Studio i am getting following errror- More than one item in the Entity 'table' has the name 'columns'. Item names must be unique among immediate siblings.
Please advice how to resolve this one. Thanks Ashwin.
I have been playing with SRS 2005 for a few months now and have a decent setup going but am strugling with model security.
I have set my selected users up in the home folder and also as site users in site settings, they can launch the report builder and create reports fine.
HOWEVER
I intend to use the software accross multiple systems ie WMS, TMS, Finance package, T&A and therefore I only want the WMS users to see the WMS models and T&A users to only see the T&A models etc
No matter what settings are adjusted it seems that if you can launch the report builder then you can access all models and this poses an issue for me as systems like T&A and financials that I need to be as secure as possible.
I am aware that I can limit access to to models using Management studio but it seems to be basically on a column basis rather than the whole model.
Help!!!
Also aware of the fact im an idiot and basically posted the same thing 5 or 6 times! Hopefully the others are deleted
I have created security roles that restrict access to a certain Dimension and a member therein.
The security works fine when the users finened in it runs a report: The data is accordingley ristricted.
The problem is when those same users run Report Builder and create a report, those members are no longer restricted and they have acces to absoluteley all data from the cubes.
Is there some way that I can force the Data Model to follow the cube's security roles?
Any help is much appreciated...
Gerhard Davids
EDIT: I have found that it uses the wrong user when opening report builder. For some reason it uses my windows account instead of the one I used to log onto report manager. This is way the security isnt working
I have a question here for report model generated on top of SSAS 2005. If security has been defined in SSAS 2005 cube where RoleA only have access to certain dimension, is this security setting integrated with the report model and propogate down to the report builder when used where RoleA users have no access to dimension allowed?
I've been through a number of tutorials on how to enable row-level security based on a userID, but my problem is more complicated and I do not have sufficient understanding of report models to guess.
My security information is defined in a table within my database. It contains a username and an account mask. An account mask maps to 1 or more account codes contained in the other data tables in my report model. A user may have more than one account mask defined for his account.
I understand the concept of directly mapping the logged-in user to a field containing a matching username. Is it possible to do a two-step mapping, so that based on the user ID I can get the account mask(s) and then evaluate which account codes match the mask(s)?
Or is there a different/better way to set this up? Defining SQL roles/groups is not an option, because of some compatibility issues with external systems.
So far, because my security table has no defined relationship with the data tables, I have not even been able to get it into my report model (Would love any suggestions on that one, too.)
I'd appreciate any ideas or suggestions - even if only something to investigate. Thanks, Sarah
My company has a Windows 2008 R2 server which is running SQL Server v11.0.5058. This server was previously running SQL Server 2008 and was recently upgraded. Since the upgrade I have noticed that when I connect to this server using SSMS and Windows authentication it seems as though I have a limited user context as I cannot see SQL Agent in the server tree at all and underneath the server security > logins folder I can only see the sa and SQL Server Windows service accounts (there are many more).
If I connect to the server using SSMS and the sa credential then I can see everything I expect to be able to see as a sysadmin.
I tried connecting as sa, then deleting my Windows AD account from the security > logins folder and reading my Windows AD account with the sysadmin role however this yielded the same result, when I connect using Windows authentication I still appear to be in a limited user context.
We have several other SQL 2008 / 2012 servers within our organization and all of them appear to be working fine / none of them exhibit this problem.
I have a requirement to create a Report Builder Model programmatically and include only a subset of the Entities (Tables) in the Database referenced by the Data Source. What I have to do is create pre-filtered 'datasets' with application security (Role, User) already applied.
When I build a Model via GenerateModel() I get every table. This is because, unlike using Model Designer, I do not get to pick and choose which tables are to be included in the Data Source View.
Note: I cannot apply any security to the Model itself. This is as painful as applying security (table, column, row) directly to the database.
The answer is to set the Hidden 'property' at the Entity Level. I was hoping to use GetProperties() and SetProperties() but this is limited to Catalog Items? I know I can do this by 'editing' the SMDL(XML) and inserting
<Hidden>true</Hidden>
for the Entities I don't want to see but there *has* to be a better way.
I am encountering a problem with reports built on my SQL Server 2005 Reporting Services Server. The reports parameters do not take effect at all? I chose the value from the report parameter list, but the result returned the whole report data. Why is that? And how can I solve this problem? Really need help.
Thanks a lot in advance for any guidance and help.
Can somebody explain the process for implementing Item-Level security for reports? My requirement is as follows:
I have some reports pertaining to a specific department, where in I deployed them to a specific folder on Reporting Services. Now I need to give exclusive read access to those reports for the users in that department. They should not be able to create any folders / new reports etc.
The steps I have followed:
1. Deployed the reports from VS 2005 to a specific folder called "TheirReports" and in this I placed the Data source also as a seperate folder.
2. I clicked on Site Settings in Report Manager and then clicked on Configure Item-Level role definitions.
3. Clicked on New Role and gave a name as ReportsBrowser and checked the options --> "View Data sources / View folders / View reports / View resources"
4. Now I went back to the specific folder and clicked on Properties -> Security -> New Role Assignment.
5. Added the necessary users binding them to ReportsBroser role.
When I'm checking from the user machine, they are able to create new folders etc.
I have developed a custom report item that works fine in design and preview mode while in Visual Studio. I cannot get it to show up on my deployed reports. Here's what I have done so far:
1. Deployed the report using Visual Studio
2. updated the rsreportserver.config file with the following entry:
I've also tried using the StrongNameMembershipCondition with no better results.
4. The dll and its dependencies are copied to the bin directory of the report server.
5. When I load a report with this custom report item on it, the report loads fine with no errors or warnings in the log file (even with verbose tracing). The area where the custom item should be is just white. It's almost like Reporting Services isn't registering the item correctly.
This is particularly frustrating because the report works fine in Visual Studio - apparently I configured that correctly. Any suggestions would be greatly appreciated. I'm stumped.
I need some sugestions from all of you about setting up security model in our SQL2000 box.
The server was setup using Mixed mode. However, all the applications (web and MS access) access the server using "sa" userid.
There are several databases in our server. Ex: (DB1,DB2,DB3,DB4 and DB5)
Application 1: need read/write access to DB1,DB2 and DB3 Application 2: need read/write access to DB5 Application 3: need read/write access to DB4 and DB3
Should I set up three userids and give them the dbo access to those database that they need to use?
I'm a bear with a very little brain. Please review the following story to see if I understand the concepts.
For the purposes of this exercise let's say that a database is used to control a building's HVAC (Heating, ventilation and cooling) system. It's installed by the HVAC vendor, who installs client software on the PC's in the building. This software allows the occupants of the building to alter the setting of the HVAC system. A young and foolish programmer/DBA - eager to show his mettle - accepts the responsibility of overseeing the system to make sure it works. What could go wrong? Easy money.
Given: A database that contains securable. (Tables, views, schema's etc).
By the second week, there is always someone complaining that it's too hot, too cold, too noisy (fans on too high). Everyone is setting their own settings. No one is happy - the only thing that they agree on is that the system doesn't work - and it's up to the less-young and less-foolish programmer/DBA to fix it.
Option #1: Create an Application Role (AIR_GOD) to control who can really write to the thermostat tables. This effectively blocks anyone who doesn't know the AIR_GOD password from fiddling. This password is only given to a carefully selected few.
Two weeks and fourteen passwords later:
Option #2: Create a fixed database role (AIR_GOD2) and drop only the selected few logins into it. (Our programmer is learning)
It helps. But since the users can access the whole thermostat-table - they end up setting each other's zones settings - sometimes by accident. Sometimes the values entered are insane.
Option #3: Create a Data Access Layer (DAL) Our programmer/DBA learns fast - he removes update rights to the thermostat-table from all users with a login. Now the only way to change a thermostat-table setting is through the stored-procedure(s) with the 'user without a login' impersonation. Values are checked before they're written etc.
Is that about right?
(Our story ends with the programmer/DBA growing older and wiser vowing never - ever - ever - to get involved with HVAC control systems again.)
Is is possible to upgrade from 6.5 to 7.0 and have all the logins that have been granted the ability to make a trusted connection to 6.5 be created the same capability in 7.0?
When I did it the logins were created as standard logins in 7.0
I have a question on the security model for MSRS 2005. I have been working with the permissions for the reporting server folders and reports at my company. Now it seems to me that I can let a user have access to a folder but they will not be able to see any reports that they do not have permissions to see. This would seem different from the Windows Security model where I can see an executable but not actually execute it. (ie. In MSRS the user would be able to see the report but not execute it)
Am I correct in this assumption or is there a way to allow the user to see the report but not execute it using the MSRS permissions.
I am using SQL Server 2005 Reporting Services. Right now, I have a textbox with 0 or 1 values in my report and I want to show a checkbox: checked for value 1 and uncheck for 0. Is there anyway to add a checkbox in the report?
How would one go about setting the height of a custom report item programmatically?
I have a custom report item that renders back an image of indeterminate height. I cannot simply set RenderItem.Sizing = Image.Sizings.AutoSize; As the image is being rendered back at 300 dpi and will require being set to FitProportional. Therefore I need to set the height to a scale height. I've tried setting CRI.Height to a ReportSize value, but it tells me that I cannot because of the current state of the item.
We're running into an issue where analysts are having problems obtaining lift charts (via the Mining Accuracy Chart UI available in the Visual Studio Analysis Services project) and performing prediction (via the Mining Model Prediction UI).
The issue seems to be related to the underlying analyst security model. Note that this post is related to:
Analysts that work on the same problem will only have access to:
- A sandbox relational database (which contains views into the same source database). The analyst is db_owner of the sandbox database, so she/he can create data transformations required, etc. The sandbox database contains views to the source database, but the analyst only has read-access to the specific data elements needed from the source DB. So, they are very restricted w.r.t. the source database, but are db_owners of their sandbox relational databases. Note that the analyst will connect to he database via Windows Authentication.
- An Analysis Services sandbox database to use for their modeling, etc. In this AS sandbox db, we've created a role called "Administrator" and checked the permissions: Full control (Administrator), Process database, and Read definition. The analyst's windows account is the "user" associated with this role.
Also, in this situation, the SQL Server 2005 Relational Engine and Analysis Services are running on a single machine. The goal of this security model is to provide analysts with the ability to work in their "workspaces" (both SQL and AS), but not to see other analysts work, etc.
Under this model, Analysts are able to deploy mining models when the Data Source object that points to their relational "sandbox" DB is set-up with "Impersonation Information" = "Use a specific user name and password", where the Analyst provides their domain account information.
But, when trying to build a lift chart using the same data source view objects that were used to successfully train the model, the following error is occurring consistently:
Window Title: "Loading Mining Accuracy Chart" Window Text: "Failed to execute the query due to the following error: Execution of the managed stored rocedure GenerateLiftTableUsingDatasource failed with the following error: Exception has been thrown by the target of invocation. Either '<domain><login>' user does not have permission to access the '' object, or the object does not exist. Errors in the high-level relational engine. A connection could not be made to the data source specified in the query. Errors in the high-level relational engine. A connection could not be made to the data source specified in the query.."
Since the Analyst was able to build the model with her/his given '<domain><login>' credentials, it is puzzling why the lift chart is failing.
I want to use this as the data from which to build a report model. As linked servers don't show up in the Data Source View wizard, I created a view in SQL Server:
create view MyExcel as select * from XL_SPS_1...Sheet1$
Okay, great, now the view shows up in the DSV wizard and I can create the data source view. However, when I create a new report model based on this data source view, the Report Model Wizard tells me at "Create entities for all tables" that I've got an error when it processes dbo_MyExcel that "Table does not have a primary key."
I assume this is where the identifying attributes for the entities in the report model are taken from, so I really can't go further. Does anyone have an idea as to how to add a primary key to a linked server (Excel) in SQL 2005? Can this be done? Other than importing spreadsheet data to a SQL table, how can I get around this?
I'm developing a Custom Report Item that generates a BarCode.
I developed all control functionality but now the problem resides on the Deploy Process.
For the fisrt time I followed 2 steps to deploy component on Visual Studio:
1) Copy the dll on " Program FilesMicrosoft Visual Studio 8Common7IDEPrivateAssemblies " 2) Configure the control in "Program FilesMicrosoft Visual Studio 8Common7IDEPrivateAssembliesRSReportDesigner.config"
On the other Hand I configured SQL Server Reporting services doing that:
3) Copy the dll on " Program FilesMicrosoft SQL ServerMSSQL.3Reporting ServicesReportServerin " 4) Configure the control in "Program FilesMicrosoft SQL ServerMSSQL.3Reporting ServicesReportServer sreportserver.config"
We are developing a custom report item but we cannot find a way to get the report parameters. In Vb examples there is mentioning of globals but these do not seem to be present in the c# enviroment.
Could anyone give a solution on how to get to the report parameter collection in run-time.
I'm looking at creating a custom report item which will allow me to input data into a textbox on the rendered report and dynamically update a textbox or another custom report item once I leave focus of that initial textbox. Is there a way to accomplish this? I have read that you can only create CRIs which use "graphic elements and images". Is that a true statement?
The reason why I don't want to have the initial value as a parameter is becuase the client doesn't want to have to click "View Report" everytime they want to see an updated value.
I have created and deployed a data source (which uses "Credentials supplied by the user running the report") and a model which uses this data source. Also I have built a report using Report Builder and all works well.
Now I wish to use Visual Studio to build a report, so I'm trying to create a data source from my computer which the report should use and I want it to use the model on the remote server. In the Report Wizard I am using "Report Server Model" and the following connection string:
IHowever I can't make the credentials to work. I've tried them all with no luck. What username/password must I use? Because so far nothing of what I have tried works.
I've created dsv that contain all fields from table database. in the smdl I've remove some fileds due to security. All fields in the smdl do not contain drill.
Issue: When I created calculated field in the report builder the field has a link. When I clicked the drill I saw all the record data including field that not in the smdl.
Questions:
1) Can I remove the link from the calculated fields?
2) Can I prevent from users drill to fields that not in the smdl?
Hi, I would like to demonstrate mining temporary models in an ASP.NET application.
Creating, trainning, predicating actions are all witten at C# codes as follows:
Code Snippet
using (AdomdCommand cmd = new AdomdCommand()) { // Build temporary mining model cmd.Connection = asConn; cmd.CommandText = "CREATE SESSION MINING MODEL " + modelName + " (" + "HCVS_MemberId Text KEY," + "HCVS_MeasureDate DATE KEY TIME, " + "SysPressure LONG CONTINUOUS PREDICT, " + "DiaPressure LONG CONTINUOUS PREDICT," + "Pluse LONG CONTINUOUS PREDICT" + ") " + "USING Microsoft_Time_Series(Missing_Value_Substitution='Mean' ) "; // Periodicity_Hint = '{12}' cmd.ExecuteNonQuery();
// Train Data cmd.CommandText = "INSERT INTO " + modelName + " (HCVS_MemberId, HCVS_MeasureDate, SysPressure, DiaPressure, Pluse) " + "OPENQUERY([Healthcare], " + " 'SELECT HCVS_MemberId, HCVS_MeasureDate, SysPressure,DiaPressure,Pluse" + " FROM v_VitalSignForecast WHERE HCVS_MemberId=''" + id + "'' AND HCVS_MeasureDate>=''" + from.ToShortDateString() + "'' AND HCVS_MeasureDate<=''" + to.ToShortDateString() +"'' ')";
cmd.ExecuteNonQuery(); // Predict upon the Train Data. In addition, the standard deviation of each predicated value is retrieved cmd.CommandText = "SELECT FLATTENED " + "( SELECT *, " + " SysPressure + PredictStdev(SysPressure) AS [SysPressure_PlusStdev], " + " SysPressure - PredictStdev(SysPressure) AS [SysPressure_MinusStdev] " + "FROM PredictTimeSeries(SysPressure, " + fDays + ") AS SysTable " + ") " + "FROM " + modelName ;
AdomdDataAdapter adapter = new AdomdDataAdapter(cmd);
DataSet sysDS = new DataSet(); adapter.Fill(sysDS); The problem is that I do not know how to configure my Analysis Service Server to let ASP.NET account can utilize it. And ASP.NET account in trun impersonates the account who is authorized to use Healthcare DB in the Openquery. Please give a help. Thanks a lot.