Checking Level Of Security Given The Folder Structure Being Used
Jan 23, 2008
Hi,
Could someone please advise if the report folder structure I am proposing will be secure enough so unauthorised users can't access the reports?
I have created three folders; Departments (that contains subfolders being one for each department), Sections (that contains subfolders being one for each section), and Open Access. A manager will either see the Department or Section folder and then the relevant subfolder for the area he/she manages.
I have deployed the reports from the Development Studio to the Home page, made them invisible there, but created linked reports that then show in the subfolders. Each subfolder contains a separate linked report and each has parameters set within the Properties tab of SSRS that only enables the manager who will access that subfolder to see the report details specific to their area.
A manager will then be given the browser role for only the subfolder he/she has access to.
I would like to be sure that a manager will not be able to see information in other subfolders. Will my proposed structure be secure enough?
Hi, I have a folder structure of reports like this Home | / A B
Now, suppose I have created this folder, A first and user, say A_User is given permission to view this folder. I am expecting this user to browse from 'Home' to A folder but as you know to browse folder 'Home' he must also be added to 'Home' folder . So I add him to 'Home' now.
The problem comes when I add new folder B, for user B_User. The moment I add this folder A_User is also added to folder B because of the inheritance of users to child folders. So user A is able to see both A and B folder....and thats my problem, he is supposed to only A folder and not B
Is there any way to disable this inheritance feature ?? I tried deleting A_User from B with a script using "InheritParentSecurity" method of ReportingService but it says that it can not delete inherited users.
How can I fix the problem ? without need to manually delete users from folders ??/
now my problem is i can login using different different users login
but i can view the deployed folder sturcutre using one user account only,others just have the accees to the connect to the report server only ?
but in my rsreportserver.config file
i already added three seperate user account like this
<adminconfiguration>
<username>asd></username>
<username>asd1></username>
<username>asd>2</username>
<adminconfiguration>
and i have added these user name on to the report report server users table as wel,
but problem is again i can see folder structure using asd2 user login only,other users just have the login permision ony,they cant see the folder structure ?
Hi all, Need a big favour, I have to collect information like TableName-> it's all columnNames--> dependent table name of EachColumn(where this column is refrenced)
I have managed to get some info like:-
select so.name as 'Table Name',sc.name as 'Column Name',st.[name], sc.length,sc.isnullable,so.crdate from syscolumns sc inner join sysobjects so on so.id=sc.id inner join systypes st on st.xtype= sc.xtype where so.xtype='U' order by so.name
sp_depends and sp_MSdependencies is not returning me same fields..
I'm going to preface this with that I'm new to DB design but hopefully I can ask some very specific questions so that I don't head in the wrong direction.
My database server name is KIERONEILSQLEXPRESS
Let's say that I want to develop two applications each with a Dev, Stage, and Production environment.
Do I create two new Database servers with three databases in each? i.e. KIERONEILSQLEXPRESSAPP1 Databases: App1Dev, App1Stage, and App1Prod
KIERONEILSQLEXPRESSAPP2 Databases: App2Dev, App2Stage, and App2Prod
Is there a better way or are there limitations to doing it this way?
I wrote the below script to print all folders and files located in the share path. How to extend my script to mention by adding another column whether the file is a folder/file , sort of 0 or 1.
How to design ta SSIS package which loops through DESTINATION folder files and checks whether that file is there in the SOURCE or not.
If the file exists then I have to check the modified date on DESTINATION file if it is greater than 1 day delete that file. If the modified date is less than that SOURCE file then I have to copy that
file to DESTINATION<o:p></o:p> <o:p></o:p>
If there are files which exists in SOURCE and not in DESTINATION, then how shall we copy all the files to the DESTINATION that are created on the day of execution of package.<o:p></o:p>
When my app starts up I want to ensure that the database compatibility level has been set to 90. I know about sp_dbcmptlevel, but that only seems to work in an interactive session; the documentation says it can't be used in a stored procedure, and that appears to be true. Does anyone know how I could read the database compatibility level in a stored proc?
SQL Server allows for a user to have SELECT permission on a View withoutthat user requiring an associated SELECT permission on the underlying tablethat the VIEW accesses, but the user can still access the data through theView. A similar arrangement holds true for stored procedures.So based on these initial known behaviours, I have a couple of questions:1. If a stored procedure A executes stored procedure B, does the user of Arequire execute permission for B also? Or will access to B be permittedregardless because the user was given access to A?2. Similarly, if a stored procedure A accesses a View, does the user of Arequire permissions on the referenced View?I guess to paraphrase what I am trying to determine is whether SQL Serveronly checks permissions at the "entry" point of a particular function, orwhether permission checks are performed "intra-function". My openingexamples imply they are only checked "on entry", but I am wondering if thisbehaviour is entirely consistent. Perhaps the SQL Standard mandates this?
I have created around 150 reports using SSRS. I just made a new data drive subscription(file sharing) using report manager. Now I'm wondering is there any option to make subscription at the higher level? That means instead of subscribing one report by one report , can I do it at the folder lever using report manager without writting a programm?
I need to check long strings and only allow them through if they contain alpha-numeric characters and selected other characters (apostrophe, comma, colon, full stop), and reject all other strings. So in pseudocode (very roughly) :
FOR EACH character in string IF( character not alphanumeric AND character not valid character ) reject string (end loop) Accept string
Hi all, I need to have a check procedure which rejects long strings if they contain anything other than 'allowed' characters (alphanumeric characters and selected other characters - space,comma, apostrophe). So in (very rough) pseudocode:
FOR EACH character in string IF( chararacter is not alphanumeric AND character is not valid ) reject string; (end checking) Accept string.
Hiiiiiiiiiiii, Why my program can't access data base, if i'm not set permission & security to All User (Everyone)..?? FYI, my IIS setting for directory security is Basic Authentication. Pls advise how my program can access the program, if permission & security are not set to Everyone ?? Thanks
On our report server I have several folders. I would like to set up security such that a user doesn't see any folders except the "My Reports" folder (I enabled the My Reports site option) and a few other folders I specify. These are a shared folder and the models folder.
Is there a way to create a system level role that by default can't browse any folders except My Reports and ones I specifically grant? I would also like this person to default to having the item level security role of report builder to create reports off of report models.
The only way I have been able to accomplish this so far was to add the user to the the system users site level role and then go to every undesired folder and delete the item level role assignments for the user. It seems odd for the user to have access to every folder then to remove permissions from each folder. Should I create a role with no tasks and then selectively add in the permissions to the desired folders?
I did try creating a new system level role that only had the Execute Report Definitions task assigned and assigned the user exclusively to this role but they could still see all of the folders and their My Reports folder. When I created a new folder the user had been defaulted to item level roles of Browser and Report Builder. I suspect these defaults are what caused the new folder to be visible as soon as I created the folder.
I searched the forum for my question so hopefully I am not causing a re-answer of this question.
Hi, The Report Manager portal has many folders. For each folder there are specific users with different roles. I am trying to figure out the way to extract User, folder wise security data. I want to run a query and retrieve users name, the folders they have access to and the user role corresponding to that folder.
Use ReportServer
SELECT u.UserName, r.RoleName FROM users u, policyuserrole pur, roles r
WHERE pur.UserID=u.UserID AND pur.RoleID=r.RoleID The above query fetches all the users and their roles. The folder information corresponds to Path column of Catalog table. Am unable link this table with the above query. TIA
I have the following Problem: ( not simular to http://www.sqlteam.com/forums/topic.asp?TOPIC_ID=101916 )
In one Table ( Objects ) exists an Id to my internal Security Tables, where the combination of many Features together results in, which Data the user could see. Today, i use only one SQL Account and the Security ist solved in my Application, In an SP is a where Clause generated, every SQL Statement is extended whitch this where clause. This work fine, but everyone with SQL User and PW could see everything this the Query Analyser or Management Studio.
The perfect solition could be: Several Usergroups should have Access to my DB. Only a few Views / SP where execuable for these Usergroups.
The Application calls alway the same View / SP an depending on the Login the Data ist filtered in the right way.
Is ist possible to filter a view with dynamic SQL ?
2.nd Question:
Is it possible to restrict Users / roles depending on the Network IP Address / Network Mask ?
The Security Problem only exists, when Users with VPN are connecting, internal Users always have full access.
I am attempting to create a view only user in Report Manager which can only view and run reports from a single directory. I have the following configured:
Active directory Group: DomainReport Users - Group Scope: Global; Group Type: Security; Member of: <none>
Active directory User: DomainReportUser - Member of: DomainReport Users group
Default web site Reports virtual directory: Directory security: Integrated Windows Authentication only
Default web site ReportServer virtual directory: Directory security: Enable Anonymous Access (user: domainadministrator) & Integrated Windows Authentication
Report Manager
Site Settings->Item-level roles: New role: Report Viewer; view folders and view reports only items selected
ReportFolder(Report Manager folder with reports): Properties->Security: Added DomainReportUser with Report Viewer role
When I go to my Report Manager site (e.g. http://url/reports) I get the Windows security form, in which I enter the DomainReportUser credentials. However, after I log in I have full rights to all folders and functions of Report Manager, as if I logged in as BuiltinAdministrator.
At what level of security is this breaking down? As far as role-based, I believe DomainReportUser should only have access to limited resources of Report Manager when logging on. What is allowing him to have Content Manager control of Report Manager? Is there a better way to set up a "view reports only" user access to Report Manager?
I have windows 2003 reporting services 2005 that has been working fine. Now all of a sudden when I go to http://localhost/reports I am unable to assign security to folders(the link is hidden) the New data source button is hidden, the new folder button is hidden, upload folder and report builder are also hidden. I am logged in as aministrator.
Also when I connect to reporting services through SQL Mgmt Studio I have the same issue, there are no options for permissions only a general option.
I'm sure it's a permissions issue but what do i do to resolve?
Hey, I have 3 columns in a table Ex: Select Column1,Column2,Column from TableName
No. 1. Person A should have permission to read values only (Column1, Column3 of the table) - 2. Person B, should have permission to read only (Column 2).
Here my question is , I have to write one single stored procedure to statisfy both conditions. Which means, if person A execute this stored procedure , he shoud get only column 1 & 3 values . similarly other person b should get column 2 value. Ex: Column 1 - Empid Column 2 - SSN (Only for Top user display) Column 3 - Join Date Person A & B as a SQL or Windows login
I am setting up a database for one contractor who needs to access one of our databases but i need to remove the permission for them to view the security folder so he cant access the SA account and enable it. I was able to deny them the view permission to see all the other databases and hide the system objects but i can still see the security folder and the sa account there where i can disable and enable it.
I have a BI Reporting scenario, wherein i have to fetch Reports from analysis Services. when the user tries to access a report, he should be validated uisng the Windows Authentication ID, and only data specific to that user should be display. I am not sure if this user authentication is to be done on analysis Services/reporting services.
Any suggestions/pointers would be highly appreciated.
I need to secure a datawarehouse table at the row level based on 1 tomany keys on that table. A user should only see the rows they haveaccess to. I need to be able to figure out which rows they have accessto using a single sql statement and it cannot be dynamic SQL or astored procedure (this is a limitation based on the reporting tool weuse).The conditions can be any combination of "and" and "or" operators. Ihave seen posts (and actually have three of his books) by Joe celkodescribing disjunctive canonical form. If not familiar please clickthe link below.http://groups.google.com/group/comp...db6abcfa6209d2fA rules table in disjunctive canonical form looks like it mightpotentially be a solution, but I can't figure out how to use it acrossmultiple keys.Here ia an example of what I am trying to do including current tablestructures and sample data. I cannot really change the generic_facttable schema, but the security cross reference table can be modified oraditional tables added.CREATE TABLE generic_fact (generic_fact_key int NOT NULL ,salesrep_key int NOT NULL ,product_key int NOT NULL ,customer_key int NOT NULL ,sales_amount decimal(18, 0) NOT NULL ,CONSTRAINT PK_generic_fact PRIMARY KEY(generic_fact_key))GOinsert into generic_fact values(1,1,10,20,45)insert into generic_fact values(2,1,10,21,90)insert into generic_fact values(3,1,11,22,17)insert into generic_fact values(4,2,10,20,32)insert into generic_fact values(5,2,13,25,6)insert into generic_fact values(6,2,12,24,56)insert into generic_fact values(7,3,11,34,75)CREATE TABLE security_cross_reference (cross_ref_key int NOT NULL ,user_key int NOT NULL ,security_type varchar (50) NOT NULL ,security_value int NOT NULL ,security_operator varchar (20) NOT NULL ,CONSTRAINT PK_security_cross_reference PRIMARY KEY(cross_ref_key))GOinsert into security_cross_reference values(1,1,'product',10,'or')insert into security_cross_reference values(2,1,'customer',21,'or')insert into security_cross_reference values(3,2,'customer',20,'and')insert into security_cross_reference values(4,3,'salesrep',3,'and')insert into security_cross_reference values(5,4,'salesrep',1,'and')insert into security_cross_reference values(6,4,'customer',22,'and')insert into security_cross_reference values(7,4,'product',11,'and')So based on the data in the security cross reference tableUser 1 can see sales for customer 21 or product 10(generic_fact table rows that have generic_fact_key values of 1,2,and4)User 2 can see sales for customer 20(generic_fact table rows that have generic_fact_key values of 1 and 4)User 3 can see sales for salesrep 3(generic_fact table rows that have a generic_fact_key value of 7)User 4 can see sales for salesrep 1 and product 11 and customer 22(generic_fact table rows that have a generic_fact_key value of 3)Does anyone have any ideas on the best way to do this?
I am trying to find the best way to implement a complex column based security. Basically i need to secure data among lot of tables with millions of rows, so that some users may see some columns and others see diferent ones... Whats the best way to implement this kind of procedure securely and flexible?