I am currently the only Reportbuilder / Contentmanager / Publisher and admin in the Report server database. I am using windows authentication when creating subscriptions and saving them in this database. Some of the reports that i create have very sencitive information. What risks and procautions do i need to assess if i want to add another reportbuilder / content manager that can manage subscriptions? The main thing is I do not want the other builder and content manager to see my report information. is it just meta data that it holds or do i need to worrie about the data also? if so what do others do to block them from viewing other peoples data?
Summery : I just want them to see data that is relevent to their work and not mine. Is this even an issue? I know it will save query results if i do a snapshot.
I read something concering this in Brian Larson's Reporting Services 2005 book
I think basically you're stuck with Windows Authentication if you want everyone to see only their own stuff (and control their permissions in SQL server)
Ours have shared data source with one account into SQL Server, security is only at the RS folder level
but the situation is different than yours as in our environment, everyone sees the same thing (e.g. all managers see one report)
|||Thanks, hopefully i can gather some more info on this. It seems to me that this is not an uncommon need with reporting services.
Brian
|||Hi,There are probably different layers of access control here.
For starters, you have to use stored procedures to generate the report data and not use cache and filters. This way, your SP can check the user credential at runtime and deliver only the parameters values and the slice of data this user is allowed to access. Always pass the userid as sp parameter.
This is on the top of the ReportManager folder security.
To achieve this you will probably want to use only Windows group membership info, no SQL Server logins. yo have to either query LDAP/AD or maintain a local table of groups, users and group membership.
you would also have to create a couple SQL server application accounts, one for each report builder, then I think you can control access to various schema's so another report builder cannot see tables in your confidential schema (or database).
As far as subscriptions are concerned I believe that only meta data is stored in the ReportServer database. Unless your metadata is confidential, I do not think you have to care about this. you may just want to make sure one cannot create subscriptions for someone else and make sure no subscriptions will ever be sent to expired accounts.
You may also want to explore the config files to see what options you have as limiting access to subscriptions and access to domains.
This is not a very precise answer however your question is broad, so I cannot do better than giving hints.
Philippe|||
Do you know if actual data is kept in the Report server database ? I know snap shots are and from what I understand they would have data in them but other than that do you know if any quried data would be kept in there. I am not conserned with others seeing meta data for the report so at least that is not an issue.
Brian
|||anyone else
No comments:
Post a Comment