October 28, 2019 at 10:48 am
Good morning
I have a project requirement to allow 3rd party vendors direct access to our SSRS service so they can self serve their own reports.
We are working on the security model requirements and trying to mitigate the following.
Under no circumstances do we want a report developer to accidentally create a report using the wrong data source and potentially give the vendor access to data they are prohibited from seeing.
I am looking for a way to have our shared datasources which use credentials stored on the server have additional security added to them so a user who is not allowed access to said datasource won't be able to connect.
Example
Folder A has a shared data source (datasource A). Folder A has permissionss where only certain users who are not vendors can access data source A. If a report is created using this shared datasource and deployed to folder B, there's a chance the vendor could access unauthorized data as datasource A will authenticate just fine in error when they connect to their report in Folder B.
Can the use of data extensions mitigate this risk? Eg. Only users allowed to access datasource A will get access to it even if the report is accidentally created and deployed to the wrong folder.
Thank you for your help in advance
October 28, 2019 at 1:19 pm
if you are asking what I think you are , then put a manual entry password on the report.. if it gets deployed to the wrong folder then the other client won't be able to open the report
MVDBA
October 28, 2019 at 2:20 pm
Hey MVDBA
Thanks for getting back. The scenario i'm looking at here is the report (rdl) getting deployed to the right folder for Vendors but accidentally using a shared datasource consequentially giving vendors access to the "wrong" data.
As you already know, SSRS doesn't have an out the box solution to secure datasource outside the windows or security credentials stored on the server. Does this make sense?
October 28, 2019 at 2:44 pm
the only thing I can think to suggest is in the code for the report, do something like..... scrape the report folder from the URL (or other ways) and try mapping it to the data source... if they don't match then do a response.redirect
best I can come up with - there was a similar thread a few days ago and he was doing something similar
MVDBA
Viewing 4 posts - 1 through 3 (of 3 total)
You must be logged in to reply to this topic. Login to reply