Just out of curiosity, what keeps a user who is not allowed to view a report from sending another username via a URL, or via some other method? As in the following http://msdn.microsoft.com/en-us/library/ms155391.aspx?PHPSESSID=ca9tbhkv7klmem4g3b2ru2q4d4.

It seems to me this security model is rather easy to bypass. Additionally, it increases the time it takes to maintain the security (having to enter a user in AD and then again in you table). I don't believe it's one I would recommend.

-Luke.