Conditional Execution of an SSRS Report
-
Monday, March 18, 2013 9:27 AM
We have a security situation which we have to address very fast.
We had created a report in which an employee number was sent as a parameter and a report for that employee would get generated. The link for this report was sent to various employees on email. While this worked perfectly, the employees soon realiased that if they change the employee number in the link they could see the data of another employee.
I have a master table at the backend which stores the windows ad id for each employee. When the parameters are submitted to the SSRS report, i would like to check whether the windows ad id of the user who has sent the report request, is equal the the windows AD id of the employee code (as derived by a look up from the above table). if the two are not equal then the report should not fire, and should a message as 'Unauthorised Access'.
Is such a conditional execution of an SSRS report possible ? In which event would such checking be done ? Any sample code ?
An urgent reply would be highly appreciated.
Sanjay Shah
All Replies
-
Monday, March 18, 2013 10:51 AM
Hi,
You can not hide your paramters on URL, but you can send a link and code it with JavaScript to show your report in a new page and Hide all your URL.
Regards
http://simplesqlserver.wordpress.com/
Dj's | Please mark as answered or vote helpful if this post help resolved your issue. Thanks!
-
Monday, March 18, 2013 11:15 AM
Hi,
I have not understood the solution. The URL to the report is sent to all the employes. they have to just click on the URL to see their report.
so if they change the url (by changing the employee number) and click, how do i achieve the required security ?
Kind Regards
Sanjay
-
Monday, March 18, 2013 1:29 PM
Hi,
When you send the report URL, you send It by email.
So, the user have just to click on the link.
To solve your problem, you have to code the link code on your email :
send it as :
<a href="javascript:window.open('http://ServerName/ReportsServer<YOURREPORT + PARAMS >', 'Reports' ,'toolbar=no,location=no,status=no,menubar=no,width=1000,height=350');"> LINK </a>
Regards
http://simplesqlserver.wordpress.com/
Dj's | Please mark as answered or vote helpful if this post help resolved your issue. Thanks!
-
Tuesday, March 19, 2013 4:36 AM
hi,
Thanks for your answer, but I am not much of a programmer and dont understand the above.
However with your solution what exactly will happen ? will the user continue getting a link in the email ? If he clicks on the same, will the link go to the browser and then generate the report ? Will it happen that in no case he can alter the parameters ?
kind regards
sanjay
-
Tuesday, March 19, 2013 8:37 AMModerator
Hi Sanjay,
As per my understanding, we needn’t check whether the windows ad id of the user who has sent the report request if it is equal the windows AD id of the employee code or not. In Reporting Services, there is a built-in filed UserID, we can get the employee number base the UserID who execute this report, and then retrieve the data from the database base on this employee number. In this case, we needn’t provide an employee number in the URL, so that they cannot see the data of another employee.
Reference: Built-in Globals and Users References (Report Builder and SSRS)Hope this helps.
Regards,
Charlie Liao
TechNet Community Support
- Marked As Answer by Sanjay Lallubhai Shah Tuesday, March 19, 2013 8:45 AM
-
Tuesday, March 19, 2013 8:45 AM
Hi Charlie
Yes, thats what we ultimately did.
Kind Regards
Sanjay
.png)
