Shared datasource security

  • ttdeveloper

    SSCrazy

    Points: 2360

    Good morning

    I have a project requirement to allow 3rd party vendors direct access to our SSRS service so they can self serve their own reports.

    We are working on the security model requirements and trying to mitigate the following.

    Under no circumstances do we want a report developer to accidentally create a report using the wrong data source and potentially give the vendor access to data they are prohibited from seeing.

    I am looking for a way to have our shared datasources which use credentials stored on the server have additional security added to them so a user who is not allowed access to said datasource won't be able to connect.

    Example

    Folder A has a shared data source (datasource A). Folder A has  permissionss where only certain users who are not vendors can access data source A. If a report is created using this shared datasource and deployed to folder B, there's a chance the vendor could access unauthorized data as datasource A will authenticate just fine in error when they connect to their report in Folder B.

    Can the use of data extensions mitigate this risk? Eg. Only users allowed to access datasource A will get access to it even if the report is accidentally created and deployed to the wrong folder.

    Thank you for your help in advance

  • MVDBA (Mike Vessey)

    SSC-Insane

    Points: 21197

    if you are asking what I think you are , then put a manual entry password on the report.. if it gets deployed to the wrong folder then the other client won't be able to open the report

    MVDBA

  • ttdeveloper

    SSCrazy

    Points: 2360

    Hey MVDBA

    Thanks for getting back. The scenario i'm looking at here is the report (rdl) getting deployed to the right folder for Vendors but accidentally using a shared datasource consequentially giving vendors access to the "wrong" data.

    As you already know, SSRS doesn't have an out the box solution to secure datasource outside the windows or security credentials stored on the server. Does this make sense?

  • MVDBA (Mike Vessey)

    SSC-Insane

    Points: 21197

    the only thing I can think to suggest is in the code for the report, do something like..... scrape the report folder from the URL (or other ways) and try mapping it to the data source... if they don't match then do a response.redirect

    best I can come up with - there was a similar thread a few days ago and he was doing something similar

    MVDBA

Viewing 4 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic. Login to reply