Hi all,
I am a newbie to reporting services and am assigned the task of
building an architecture for hosting reports for different departments
in the organization. I am setting up a prototype and have a few
questions:
Environment: SQL Server 2005, VS 2005.
1. I understand that I can use either the ReportViewer control or the
Reporting Services web service to create reports. Which is recommended
and why?
2. Which is the best way to render a report? The reports will be
consumed from a Java/JSP environment.
3. What is the difference between Local and a Server mode for Reports?
4. How do I make a determination while developing reports whether to
use more RDL or to have more logic embedded in the ASP.NET application
Thanks,Hello,
Any help is really appreciated.
Thank you.
sandeshmeda@.gmail.com wrote:
> Hi all,
> I am a newbie to reporting services and am assigned the task of
> building an architecture for hosting reports for different departments
> in the organization. I am setting up a prototype and have a few
> questions:
> Environment: SQL Server 2005, VS 2005.
> 1. I understand that I can use either the ReportViewer control or the
> Reporting Services web service to create reports. Which is recommended
> and why?
> 2. Which is the best way to render a report? The reports will be
> consumed from a Java/JSP environment.
> 3. What is the difference between Local and a Server mode for Reports?
> 4. How do I make a determination while developing reports whether to
> use more RDL or to have more logic embedded in the ASP.NET application
> Thanks,|||I suggest looking at some links on MS site:
http://msdn2.microsoft.com/en-us/library/aa964126.aspx
http://msdn2.microsoft.com/en-us/sql/aa336316.aspx
First, the control can only be used with a 2.0 framework asp.net website. If
that is the case then that is the easiest way to integrate in. Although you
say java/jsp which confuses me. asp.net <> jsp.
Local mode requires a good bit more work. You provide the tableset for it
but you also have to respond to events for subreports and other things like
that. It is not as easy as developing server based reports. You also lose
out on functionality like caching, subscriptions etc provided by the server.
My suggestion is first learn RS. Install the development environment, create
some reports and subreports. Try doing some typical things.
If the end result is that your app is not an asp.net app they you have to
roll your own integration and use either webservices or URL integration.
--
Bruce Loehle-Conger
MVP SQL Server Reporting Services
<sandeshmeda@.gmail.com> wrote in message
news:1164746622.750876.306310@.45g2000cws.googlegroups.com...
> Hi all,
> I am a newbie to reporting services and am assigned the task of
> building an architecture for hosting reports for different departments
> in the organization. I am setting up a prototype and have a few
> questions:
> Environment: SQL Server 2005, VS 2005.
> 1. I understand that I can use either the ReportViewer control or the
> Reporting Services web service to create reports. Which is recommended
> and why?
> 2. Which is the best way to render a report? The reports will be
> consumed from a Java/JSP environment.
> 3. What is the difference between Local and a Server mode for Reports?
> 4. How do I make a determination while developing reports whether to
> use more RDL or to have more logic embedded in the ASP.NET application
> Thanks,
>|||Thanks for your suggestions.
The reporting project will be .NET based but the Web application that
is consuming these reports is a JSP app. Right now I think the best
approach is to use URL method of embedding reports and using a IFRAME
to render. Is there a better way?
I guess I will stick with the Servermode for now for the advantages you
mentioned.
Here's the environment I have in mind.
1. Create a VS 2005 project a ASP.NET application that has a page for
displaying reports. Say Report.aspx
2. Create another project for all the data sources and the report
definitions
3. For integration with a JSP app, have the page call the Report.aspx
page and send as query string params - the report name, the parameters.
4. The Report.aspx that hosts the ReportViewer control sets the Report
path dynamically and renders the report.
Will this architecture be scalable? We plan to host hundreds of
reports.
The other question is to how to use the query parameters from the
Report.aspx to create datasources (does this need to be done
programmatically)?
Bruce L-C [MVP] wrote:
> I suggest looking at some links on MS site:
> http://msdn2.microsoft.com/en-us/library/aa964126.aspx
> http://msdn2.microsoft.com/en-us/sql/aa336316.aspx
> First, the control can only be used with a 2.0 framework asp.net website. If
> that is the case then that is the easiest way to integrate in. Although you
> say java/jsp which confuses me. asp.net <> jsp.
> Local mode requires a good bit more work. You provide the tableset for it
> but you also have to respond to events for subreports and other things like
> that. It is not as easy as developing server based reports. You also lose
> out on functionality like caching, subscriptions etc provided by the server.
> My suggestion is first learn RS. Install the development environment, create
> some reports and subreports. Try doing some typical things.
> If the end result is that your app is not an asp.net app they you have to
> roll your own integration and use either webservices or URL integration.
> --
> Bruce Loehle-Conger
> MVP SQL Server Reporting Services
> <sandeshmeda@.gmail.com> wrote in message
> news:1164746622.750876.306310@.45g2000cws.googlegroups.com...
> > Hi all,
> >
> > I am a newbie to reporting services and am assigned the task of
> > building an architecture for hosting reports for different departments
> > in the organization. I am setting up a prototype and have a few
> > questions:
> >
> > Environment: SQL Server 2005, VS 2005.
> >
> > 1. I understand that I can use either the ReportViewer control or the
> > Reporting Services web service to create reports. Which is recommended
> > and why?
> >
> > 2. Which is the best way to render a report? The reports will be
> > consumed from a Java/JSP environment.
> >
> > 3. What is the difference between Local and a Server mode for Reports?
> >
> > 4. How do I make a determination while developing reports whether to
> > use more RDL or to have more logic embedded in the ASP.NET application
> >
> > Thanks,
> >|||My suggestion is to start off with just a report project. RS comes with its
own portal called report manager. There is no reason to have another web
page getting in the way. Have your JSP app just assemble the appropriate URL
string.
Although you could do web services URL string is most likely the best way to
go.
One other issue. Is this an intranet or internet application?
Bruce Loehle-Conger
MVP SQL Server Reporting Services
<sandeshmeda@.gmail.com> wrote in message
news:1164905281.080323.249330@.16g2000cwy.googlegroups.com...
> Thanks for your suggestions.
> The reporting project will be .NET based but the Web application that
> is consuming these reports is a JSP app. Right now I think the best
> approach is to use URL method of embedding reports and using a IFRAME
> to render. Is there a better way?
> I guess I will stick with the Servermode for now for the advantages you
> mentioned.
> Here's the environment I have in mind.
> 1. Create a VS 2005 project a ASP.NET application that has a page for
> displaying reports. Say Report.aspx
> 2. Create another project for all the data sources and the report
> definitions
> 3. For integration with a JSP app, have the page call the Report.aspx
> page and send as query string params - the report name, the parameters.
> 4. The Report.aspx that hosts the ReportViewer control sets the Report
> path dynamically and renders the report.
> Will this architecture be scalable? We plan to host hundreds of
> reports.
> The other question is to how to use the query parameters from the
> Report.aspx to create datasources (does this need to be done
> programmatically)?
> Bruce L-C [MVP] wrote:
>> I suggest looking at some links on MS site:
>> http://msdn2.microsoft.com/en-us/library/aa964126.aspx
>> http://msdn2.microsoft.com/en-us/sql/aa336316.aspx
>> First, the control can only be used with a 2.0 framework asp.net website.
>> If
>> that is the case then that is the easiest way to integrate in. Although
>> you
>> say java/jsp which confuses me. asp.net <> jsp.
>> Local mode requires a good bit more work. You provide the tableset for it
>> but you also have to respond to events for subreports and other things
>> like
>> that. It is not as easy as developing server based reports. You also lose
>> out on functionality like caching, subscriptions etc provided by the
>> server.
>> My suggestion is first learn RS. Install the development environment,
>> create
>> some reports and subreports. Try doing some typical things.
>> If the end result is that your app is not an asp.net app they you have to
>> roll your own integration and use either webservices or URL integration.
>> --
>> Bruce Loehle-Conger
>> MVP SQL Server Reporting Services
>> <sandeshmeda@.gmail.com> wrote in message
>> news:1164746622.750876.306310@.45g2000cws.googlegroups.com...
>> > Hi all,
>> >
>> > I am a newbie to reporting services and am assigned the task of
>> > building an architecture for hosting reports for different departments
>> > in the organization. I am setting up a prototype and have a few
>> > questions:
>> >
>> > Environment: SQL Server 2005, VS 2005.
>> >
>> > 1. I understand that I can use either the ReportViewer control or the
>> > Reporting Services web service to create reports. Which is recommended
>> > and why?
>> >
>> > 2. Which is the best way to render a report? The reports will be
>> > consumed from a Java/JSP environment.
>> >
>> > 3. What is the difference between Local and a Server mode for Reports?
>> >
>> > 4. How do I make a determination while developing reports whether to
>> > use more RDL or to have more logic embedded in the ASP.NET application
>> >
>> > Thanks,
>> >
>|||Thanks Bruce for your reply.
This will be an internet application.
Can you please explain how I could use the Report Manager as a
substitute for a Report.aspx page?
I found out that a datasource can be a stored procedure with params and
my initial plan was to use the Report.aspx page to grab the params and
send it to the SP.
Bruce L-C [MVP] wrote:
> My suggestion is to start off with just a report project. RS comes with its
> own portal called report manager. There is no reason to have another web
> page getting in the way. Have your JSP app just assemble the appropriate URL
> string.
> Although you could do web services URL string is most likely the best way to
> go.
> One other issue. Is this an intranet or internet application?
>
> --
> Bruce Loehle-Conger
> MVP SQL Server Reporting Services
> <sandeshmeda@.gmail.com> wrote in message
> news:1164905281.080323.249330@.16g2000cwy.googlegroups.com...
> > Thanks for your suggestions.
> >
> > The reporting project will be .NET based but the Web application that
> > is consuming these reports is a JSP app. Right now I think the best
> > approach is to use URL method of embedding reports and using a IFRAME
> > to render. Is there a better way?
> >
> > I guess I will stick with the Servermode for now for the advantages you
> > mentioned.
> >
> > Here's the environment I have in mind.
> >
> > 1. Create a VS 2005 project a ASP.NET application that has a page for
> > displaying reports. Say Report.aspx
> > 2. Create another project for all the data sources and the report
> > definitions
> > 3. For integration with a JSP app, have the page call the Report.aspx
> > page and send as query string params - the report name, the parameters.
> > 4. The Report.aspx that hosts the ReportViewer control sets the Report
> > path dynamically and renders the report.
> >
> > Will this architecture be scalable? We plan to host hundreds of
> > reports.
> >
> > The other question is to how to use the query parameters from the
> > Report.aspx to create datasources (does this need to be done
> > programmatically)?
> >
> > Bruce L-C [MVP] wrote:
> >> I suggest looking at some links on MS site:
> >> http://msdn2.microsoft.com/en-us/library/aa964126.aspx
> >>
> >> http://msdn2.microsoft.com/en-us/sql/aa336316.aspx
> >>
> >> First, the control can only be used with a 2.0 framework asp.net website.
> >> If
> >> that is the case then that is the easiest way to integrate in. Although
> >> you
> >> say java/jsp which confuses me. asp.net <> jsp.
> >>
> >> Local mode requires a good bit more work. You provide the tableset for it
> >> but you also have to respond to events for subreports and other things
> >> like
> >> that. It is not as easy as developing server based reports. You also lose
> >> out on functionality like caching, subscriptions etc provided by the
> >> server.
> >>
> >> My suggestion is first learn RS. Install the development environment,
> >> create
> >> some reports and subreports. Try doing some typical things.
> >>
> >> If the end result is that your app is not an asp.net app they you have to
> >> roll your own integration and use either webservices or URL integration.
> >>
> >> --
> >> Bruce Loehle-Conger
> >> MVP SQL Server Reporting Services
> >>
> >> <sandeshmeda@.gmail.com> wrote in message
> >> news:1164746622.750876.306310@.45g2000cws.googlegroups.com...
> >> > Hi all,
> >> >
> >> > I am a newbie to reporting services and am assigned the task of
> >> > building an architecture for hosting reports for different departments
> >> > in the organization. I am setting up a prototype and have a few
> >> > questions:
> >> >
> >> > Environment: SQL Server 2005, VS 2005.
> >> >
> >> > 1. I understand that I can use either the ReportViewer control or the
> >> > Reporting Services web service to create reports. Which is recommended
> >> > and why?
> >> >
> >> > 2. Which is the best way to render a report? The reports will be
> >> > consumed from a Java/JSP environment.
> >> >
> >> > 3. What is the difference between Local and a Server mode for Reports?
> >> >
> >> > 4. How do I make a determination while developing reports whether to
> >> > use more RDL or to have more logic embedded in the ASP.NET application
> >> >
> >> > Thanks,
> >> >
> >|||As an internet app you will need to do forms based authentication
(non-trivial). Be sure to read up on that.
You pass parameters to the report via the URL. The report is the one that
calls the SP with the params. This will make more sense once you create a
report. Note that you can create and test reports without deploying to a
server. So you can install the report designer and start working on some
reports to learn prior to install and configuring the server.
Bruce Loehle-Conger
MVP SQL Server Reporting Services
<sandeshmeda@.gmail.com> wrote in message
news:1164912477.264230.84320@.16g2000cwy.googlegroups.com...
> Thanks Bruce for your reply.
> This will be an internet application.
> Can you please explain how I could use the Report Manager as a
> substitute for a Report.aspx page?
> I found out that a datasource can be a stored procedure with params and
> my initial plan was to use the Report.aspx page to grab the params and
> send it to the SP.
> Bruce L-C [MVP] wrote:
>> My suggestion is to start off with just a report project. RS comes with
>> its
>> own portal called report manager. There is no reason to have another web
>> page getting in the way. Have your JSP app just assemble the appropriate
>> URL
>> string.
>> Although you could do web services URL string is most likely the best way
>> to
>> go.
>> One other issue. Is this an intranet or internet application?
>>
>> --
>> Bruce Loehle-Conger
>> MVP SQL Server Reporting Services
>> <sandeshmeda@.gmail.com> wrote in message
>> news:1164905281.080323.249330@.16g2000cwy.googlegroups.com...
>> > Thanks for your suggestions.
>> >
>> > The reporting project will be .NET based but the Web application that
>> > is consuming these reports is a JSP app. Right now I think the best
>> > approach is to use URL method of embedding reports and using a IFRAME
>> > to render. Is there a better way?
>> >
>> > I guess I will stick with the Servermode for now for the advantages you
>> > mentioned.
>> >
>> > Here's the environment I have in mind.
>> >
>> > 1. Create a VS 2005 project a ASP.NET application that has a page for
>> > displaying reports. Say Report.aspx
>> > 2. Create another project for all the data sources and the report
>> > definitions
>> > 3. For integration with a JSP app, have the page call the Report.aspx
>> > page and send as query string params - the report name, the parameters.
>> > 4. The Report.aspx that hosts the ReportViewer control sets the Report
>> > path dynamically and renders the report.
>> >
>> > Will this architecture be scalable? We plan to host hundreds of
>> > reports.
>> >
>> > The other question is to how to use the query parameters from the
>> > Report.aspx to create datasources (does this need to be done
>> > programmatically)?
>> >
>> > Bruce L-C [MVP] wrote:
>> >> I suggest looking at some links on MS site:
>> >> http://msdn2.microsoft.com/en-us/library/aa964126.aspx
>> >>
>> >> http://msdn2.microsoft.com/en-us/sql/aa336316.aspx
>> >>
>> >> First, the control can only be used with a 2.0 framework asp.net
>> >> website.
>> >> If
>> >> that is the case then that is the easiest way to integrate in.
>> >> Although
>> >> you
>> >> say java/jsp which confuses me. asp.net <> jsp.
>> >>
>> >> Local mode requires a good bit more work. You provide the tableset for
>> >> it
>> >> but you also have to respond to events for subreports and other things
>> >> like
>> >> that. It is not as easy as developing server based reports. You also
>> >> lose
>> >> out on functionality like caching, subscriptions etc provided by the
>> >> server.
>> >>
>> >> My suggestion is first learn RS. Install the development environment,
>> >> create
>> >> some reports and subreports. Try doing some typical things.
>> >>
>> >> If the end result is that your app is not an asp.net app they you have
>> >> to
>> >> roll your own integration and use either webservices or URL
>> >> integration.
>> >>
>> >> --
>> >> Bruce Loehle-Conger
>> >> MVP SQL Server Reporting Services
>> >>
>> >> <sandeshmeda@.gmail.com> wrote in message
>> >> news:1164746622.750876.306310@.45g2000cws.googlegroups.com...
>> >> > Hi all,
>> >> >
>> >> > I am a newbie to reporting services and am assigned the task of
>> >> > building an architecture for hosting reports for different
>> >> > departments
>> >> > in the organization. I am setting up a prototype and have a few
>> >> > questions:
>> >> >
>> >> > Environment: SQL Server 2005, VS 2005.
>> >> >
>> >> > 1. I understand that I can use either the ReportViewer control or
>> >> > the
>> >> > Reporting Services web service to create reports. Which is
>> >> > recommended
>> >> > and why?
>> >> >
>> >> > 2. Which is the best way to render a report? The reports will be
>> >> > consumed from a Java/JSP environment.
>> >> >
>> >> > 3. What is the difference between Local and a Server mode for
>> >> > Reports?
>> >> >
>> >> > 4. How do I make a determination while developing reports whether to
>> >> > use more RDL or to have more logic embedded in the ASP.NET
>> >> > application
>> >> >
>> >> > Thanks,
>> >> >
>> >
>
Showing posts with label task. Show all posts
Showing posts with label task. Show all posts
Wednesday, March 28, 2012
Monday, March 26, 2012
Reporting services 2000 security
Hi folks,
I have been charged with the task of providing some security measures for
reporting services 2000 and unfortuneately I have found myself a bit out of
my depth (usually I am found developing desktop applications), I am
comfortable with any c# coding required but I'm finding the whole thing
rather confusing.
Our setup consists of a webserver and reporting server (on different domains
at the moment) We have a website that works as we wish, displaying a list
of reports based on the users logon details. However we have found tht the
reporting server can be accessed directly and with a bit of playing around
anyone can view (often sensitive) information.
The current site is written in ASP (not .NET), is it possible to 'wrap' the
existing site in an asp.net form so that we can use forms authentication
providing the necessary security to plug the hole?
To maintian useability we require the dropdowns for parameters provided by
URL addressability, so would we need to move the reporting server onto the
webserver so that it would have the same domain?
Any tips or links would be very much appreciated - I feel like a fish out of
water at the moment :)
Regards
Darren SimCrossing domains is an issue.
Assuming on the same domain you should be able to assign domain users or
domain groups to appropriate roles in RS. If they have been assigned
appropriately then they should not be able to see or run reports they
shouldn't. The way it works is that security starts with whatever roles have
been assigned to the home directory/folder in report manager. All
report/folders inherit from this. You can override at either the folder
level or the report level. For instance, if there is folder that only
management should see the reports then in Report Manager remove the group
for browsing for that folder and add one that is just the managers. You can
also do this for individual reports. My guess is that no-one understood how
roles are used to secure the website. Regardless of whether you integrate
this in with your web app, you need to understand this.
Yes you can integrate in your own authentication, many people have. It is
non-trivial but doable. However, if you have it on the same server as your
web app then you can use integrated security, it will know who is connected
to your web app and they will only be able to view the appropriate reports.
Bruce Loehle-Conger
MVP SQL Server Reporting Services
"Darren Sim" <darrens@.sirius.co.uk> wrote in message
news:%234FzKGhSHHA.4756@.TK2MSFTNGP06.phx.gbl...
> Hi folks,
> I have been charged with the task of providing some security measures for
> reporting services 2000 and unfortuneately I have found myself a bit out
> of my depth (usually I am found developing desktop applications), I am
> comfortable with any c# coding required but I'm finding the whole thing
> rather confusing.
> Our setup consists of a webserver and reporting server (on different
> domains at the moment) We have a website that works as we wish,
> displaying a list of reports based on the users logon details. However we
> have found tht the reporting server can be accessed directly and with a
> bit of playing around anyone can view (often sensitive) information.
> The current site is written in ASP (not .NET), is it possible to 'wrap'
> the existing site in an asp.net form so that we can use forms
> authentication providing the necessary security to plug the hole?
> To maintian useability we require the dropdowns for parameters provided by
> URL addressability, so would we need to move the reporting server onto
> the webserver so that it would have the same domain?
> Any tips or links would be very much appreciated - I feel like a fish out
> of water at the moment :)
> Regards
> Darren Sim
>|||Thanks Bruce your help is much appreciated,
Just to clarify, at the moment our web app accepts a login from a user then
checks the details against a database, the returned values determine which
reports are made available and the links to these are then displayed on a
page.
If we were to move the reporting server onto our web server, would it just
be a case of turning on integrated security on the report server?
Thanks again
Darren
"Bruce L-C [MVP]" <bruce_lcNOSPAM@.hotmail.com> wrote in message
news:%235q3hphSHHA.4632@.TK2MSFTNGP04.phx.gbl...
> Crossing domains is an issue.
> Assuming on the same domain you should be able to assign domain users or
> domain groups to appropriate roles in RS. If they have been assigned
> appropriately then they should not be able to see or run reports they
> shouldn't. The way it works is that security starts with whatever roles
> have been assigned to the home directory/folder in report manager. All
> report/folders inherit from this. You can override at either the folder
> level or the report level. For instance, if there is folder that only
> management should see the reports then in Report Manager remove the group
> for browsing for that folder and add one that is just the managers. You
> can also do this for individual reports. My guess is that no-one
> understood how roles are used to secure the website. Regardless of whether
> you integrate this in with your web app, you need to understand this.
> Yes you can integrate in your own authentication, many people have. It is
> non-trivial but doable. However, if you have it on the same server as your
> web app then you can use integrated security, it will know who is
> connected to your web app and they will only be able to view the
> appropriate reports.
>
> --
> Bruce Loehle-Conger
> MVP SQL Server Reporting Services
> "Darren Sim" <darrens@.sirius.co.uk> wrote in message
> news:%234FzKGhSHHA.4756@.TK2MSFTNGP06.phx.gbl...
>> Hi folks,
>> I have been charged with the task of providing some security measures for
>> reporting services 2000 and unfortuneately I have found myself a bit out
>> of my depth (usually I am found developing desktop applications), I am
>> comfortable with any c# coding required but I'm finding the whole thing
>> rather confusing.
>> Our setup consists of a webserver and reporting server (on different
>> domains at the moment) We have a website that works as we wish,
>> displaying a list of reports based on the users logon details. However
>> we have found tht the reporting server can be accessed directly and with
>> a bit of playing around anyone can view (often sensitive) information.
>> The current site is written in ASP (not .NET), is it possible to 'wrap'
>> the existing site in an asp.net form so that we can use forms
>> authentication providing the necessary security to plug the hole?
>> To maintian useability we require the dropdowns for parameters provided
>> by URL addressability, so would we need to move the reporting server
>> onto the webserver so that it would have the same domain?
>> Any tips or links would be very much appreciated - I feel like a fish out
>> of water at the moment :)
>> Regards
>> Darren Sim
>|||Well, it sounds like your web app is not using integrated security. There
are two steps to security. One is authenticating who the user is. That can
be done with forms authentication (in which case you integrate in the
authentication from your web app with RS). Then the other is roles. If you
don't do the roles then the user can go directly to Report Manager web site
and get whatever report they want. So regardless of how you decide to
authenticate you need to still understand and use roles in RS.
Bruce Loehle-Conger
MVP SQL Server Reporting Services
"Darren Sim" <darrens@.sirius.co.uk> wrote in message
news:uPcxjxpSHHA.3948@.TK2MSFTNGP05.phx.gbl...
> Thanks Bruce your help is much appreciated,
> Just to clarify, at the moment our web app accepts a login from a user
> then checks the details against a database, the returned values determine
> which reports are made available and the links to these are then displayed
> on a page.
> If we were to move the reporting server onto our web server, would it just
> be a case of turning on integrated security on the report server?
> Thanks again
> Darren
>
> "Bruce L-C [MVP]" <bruce_lcNOSPAM@.hotmail.com> wrote in message
> news:%235q3hphSHHA.4632@.TK2MSFTNGP04.phx.gbl...
>> Crossing domains is an issue.
>> Assuming on the same domain you should be able to assign domain users or
>> domain groups to appropriate roles in RS. If they have been assigned
>> appropriately then they should not be able to see or run reports they
>> shouldn't. The way it works is that security starts with whatever roles
>> have been assigned to the home directory/folder in report manager. All
>> report/folders inherit from this. You can override at either the folder
>> level or the report level. For instance, if there is folder that only
>> management should see the reports then in Report Manager remove the group
>> for browsing for that folder and add one that is just the managers. You
>> can also do this for individual reports. My guess is that no-one
>> understood how roles are used to secure the website. Regardless of
>> whether you integrate this in with your web app, you need to understand
>> this.
>> Yes you can integrate in your own authentication, many people have. It is
>> non-trivial but doable. However, if you have it on the same server as
>> your web app then you can use integrated security, it will know who is
>> connected to your web app and they will only be able to view the
>> appropriate reports.
>>
>> --
>> Bruce Loehle-Conger
>> MVP SQL Server Reporting Services
>> "Darren Sim" <darrens@.sirius.co.uk> wrote in message
>> news:%234FzKGhSHHA.4756@.TK2MSFTNGP06.phx.gbl...
>> Hi folks,
>> I have been charged with the task of providing some security measures
>> for reporting services 2000 and unfortuneately I have found myself a bit
>> out of my depth (usually I am found developing desktop applications), I
>> am comfortable with any c# coding required but I'm finding the whole
>> thing rather confusing.
>> Our setup consists of a webserver and reporting server (on different
>> domains at the moment) We have a website that works as we wish,
>> displaying a list of reports based on the users logon details. However
>> we have found tht the reporting server can be accessed directly and with
>> a bit of playing around anyone can view (often sensitive) information.
>> The current site is written in ASP (not .NET), is it possible to 'wrap'
>> the existing site in an asp.net form so that we can use forms
>> authentication providing the necessary security to plug the hole?
>> To maintian useability we require the dropdowns for parameters provided
>> by URL addressability, so would we need to move the reporting server
>> onto the webserver so that it would have the same domain?
>> Any tips or links would be very much appreciated - I feel like a fish
>> out of water at the moment :)
>> Regards
>> Darren Sim
>>
>|||Thanks again Bruce
You are quite correct - the website set up for viewing reports does not use
integrated security. I have been looking at integrating forms
authentication, but hit a few snags - I think most of the problems are
simply down to a poor understanding of the RS configfiles and what needs to
be done.
We are also moving the reporting services on to the web server to address
the domain issue - I have been thinking of redoing the login page in .NET to
handle forms security, if the login has been successful then allow the user
to proceed to the current site.
At the moment I am using VS2005 and .NET 2.0 for desktop applications, for
RS200 do I neet to use .NET1.1 and VS2003? (I have access to both)
I will read up on roles to get a better understanding of what needs to be
done to enchance security.
Kind regards
Darren Sim
"Bruce L-C [MVP]" <bruce_lcNOSPAM@.hotmail.com> wrote in message
news:e9k5iLuSHHA.1228@.TK2MSFTNGP06.phx.gbl...
> Well, it sounds like your web app is not using integrated security. There
> are two steps to security. One is authenticating who the user is. That can
> be done with forms authentication (in which case you integrate in the
> authentication from your web app with RS). Then the other is roles. If you
> don't do the roles then the user can go directly to Report Manager web
> site and get whatever report they want. So regardless of how you decide to
> authenticate you need to still understand and use roles in RS.
>
> --
> Bruce Loehle-Conger
> MVP SQL Server Reporting Services
>|||Yes, RS 2000 is a 1.1 application. If your web site is 2.0 it can also run
1.1 for the RS websites.
As a 1.1 application you need to install VS 2003 and then install the report
designer.
If at all possible I would look at upgrading to RS 2005. It uses 2.0. It is
faster and has some important features (end user sorting, multi-select
parameters, calendar control to name a few).
Bruce Loehle-Conger
MVP SQL Server Reporting Services
"Darren Sim" <darrens@.sirius.co.uk> wrote in message
news:%23caBKv3SHHA.1200@.TK2MSFTNGP04.phx.gbl...
> Thanks again Bruce
> You are quite correct - the website set up for viewing reports does not
> use integrated security. I have been looking at integrating forms
> authentication, but hit a few snags - I think most of the problems are
> simply down to a poor understanding of the RS configfiles and what needs
> to be done.
> We are also moving the reporting services on to the web server to address
> the domain issue - I have been thinking of redoing the login page in .NET
> to handle forms security, if the login has been successful then allow the
> user to proceed to the current site.
> At the moment I am using VS2005 and .NET 2.0 for desktop applications, for
> RS200 do I neet to use .NET1.1 and VS2003? (I have access to both)
> I will read up on roles to get a better understanding of what needs to be
> done to enchance security.
> Kind regards
> Darren Sim
> "Bruce L-C [MVP]" <bruce_lcNOSPAM@.hotmail.com> wrote in message
> news:e9k5iLuSHHA.1228@.TK2MSFTNGP06.phx.gbl...
>> Well, it sounds like your web app is not using integrated security. There
>> are two steps to security. One is authenticating who the user is. That
>> can be done with forms authentication (in which case you integrate in the
>> authentication from your web app with RS). Then the other is roles. If
>> you don't do the roles then the user can go directly to Report Manager
>> web site and get whatever report they want. So regardless of how you
>> decide to authenticate you need to still understand and use roles in RS.
>>
>> --
>> Bruce Loehle-Conger
>> MVP SQL Server Reporting Services
>|||We are upgrading to sql 2005 and RS2005. This is only to act as a stop-gap
until this can be properly planned and carried out as having the reporting
server accessible by anyone obviously poses a security threat.
Unfortuneately this security hole was only discovered at the last minute
before making the service available to our clients. I have only been here
for 6 months and I'm pushing for all developement to be on the .net 2.0
framework, as I use this for the desktop applications and some of the code I
am using could be reused in the web applications. However we are a very
small operation and getting everyone up to speed takes time, not to mention
the task of doing everything over...
Thanks very much for your assistance Bruce, I think I have an idea of at
least where to begin.
Regards
Darren
"Bruce L-C [MVP]" <bruce_lcNOSPAM@.hotmail.com> wrote in message
news:OqLkrJ4SHHA.4632@.TK2MSFTNGP04.phx.gbl...
> Yes, RS 2000 is a 1.1 application. If your web site is 2.0 it can also run
> 1.1 for the RS websites.
> As a 1.1 application you need to install VS 2003 and then install the
> report designer.
> If at all possible I would look at upgrading to RS 2005. It uses 2.0. It
> is faster and has some important features (end user sorting, multi-select
> parameters, calendar control to name a few).
>
> --
> Bruce Loehle-Conger
> MVP SQL Server Reporting Services
>
> "Darren Sim" <darrens@.sirius.co.uk> wrote in message
> news:%23caBKv3SHHA.1200@.TK2MSFTNGP04.phx.gbl...
>> Thanks again Bruce
>> You are quite correct - the website set up for viewing reports does not
>> use integrated security. I have been looking at integrating forms
>> authentication, but hit a few snags - I think most of the problems are
>> simply down to a poor understanding of the RS configfiles and what needs
>> to be done.
>> We are also moving the reporting services on to the web server to address
>> the domain issue - I have been thinking of redoing the login page in .NET
>> to handle forms security, if the login has been successful then allow the
>> user to proceed to the current site.
>> At the moment I am using VS2005 and .NET 2.0 for desktop applications,
>> for RS200 do I neet to use .NET1.1 and VS2003? (I have access to both)
>> I will read up on roles to get a better understanding of what needs to be
>> done to enchance security.
>> Kind regards
>> Darren Sim
>> "Bruce L-C [MVP]" <bruce_lcNOSPAM@.hotmail.com> wrote in message
>> news:e9k5iLuSHHA.1228@.TK2MSFTNGP06.phx.gbl...
>> Well, it sounds like your web app is not using integrated security.
>> There are two steps to security. One is authenticating who the user is.
>> That can be done with forms authentication (in which case you integrate
>> in the authentication from your web app with RS). Then the other is
>> roles. If you don't do the roles then the user can go directly to Report
>> Manager web site and get whatever report they want. So regardless of how
>> you decide to authenticate you need to still understand and use roles in
>> RS.
>>
>> --
>> Bruce Loehle-Conger
>> MVP SQL Server Reporting Services
>>
>sql
I have been charged with the task of providing some security measures for
reporting services 2000 and unfortuneately I have found myself a bit out of
my depth (usually I am found developing desktop applications), I am
comfortable with any c# coding required but I'm finding the whole thing
rather confusing.
Our setup consists of a webserver and reporting server (on different domains
at the moment) We have a website that works as we wish, displaying a list
of reports based on the users logon details. However we have found tht the
reporting server can be accessed directly and with a bit of playing around
anyone can view (often sensitive) information.
The current site is written in ASP (not .NET), is it possible to 'wrap' the
existing site in an asp.net form so that we can use forms authentication
providing the necessary security to plug the hole?
To maintian useability we require the dropdowns for parameters provided by
URL addressability, so would we need to move the reporting server onto the
webserver so that it would have the same domain?
Any tips or links would be very much appreciated - I feel like a fish out of
water at the moment :)
Regards
Darren SimCrossing domains is an issue.
Assuming on the same domain you should be able to assign domain users or
domain groups to appropriate roles in RS. If they have been assigned
appropriately then they should not be able to see or run reports they
shouldn't. The way it works is that security starts with whatever roles have
been assigned to the home directory/folder in report manager. All
report/folders inherit from this. You can override at either the folder
level or the report level. For instance, if there is folder that only
management should see the reports then in Report Manager remove the group
for browsing for that folder and add one that is just the managers. You can
also do this for individual reports. My guess is that no-one understood how
roles are used to secure the website. Regardless of whether you integrate
this in with your web app, you need to understand this.
Yes you can integrate in your own authentication, many people have. It is
non-trivial but doable. However, if you have it on the same server as your
web app then you can use integrated security, it will know who is connected
to your web app and they will only be able to view the appropriate reports.
Bruce Loehle-Conger
MVP SQL Server Reporting Services
"Darren Sim" <darrens@.sirius.co.uk> wrote in message
news:%234FzKGhSHHA.4756@.TK2MSFTNGP06.phx.gbl...
> Hi folks,
> I have been charged with the task of providing some security measures for
> reporting services 2000 and unfortuneately I have found myself a bit out
> of my depth (usually I am found developing desktop applications), I am
> comfortable with any c# coding required but I'm finding the whole thing
> rather confusing.
> Our setup consists of a webserver and reporting server (on different
> domains at the moment) We have a website that works as we wish,
> displaying a list of reports based on the users logon details. However we
> have found tht the reporting server can be accessed directly and with a
> bit of playing around anyone can view (often sensitive) information.
> The current site is written in ASP (not .NET), is it possible to 'wrap'
> the existing site in an asp.net form so that we can use forms
> authentication providing the necessary security to plug the hole?
> To maintian useability we require the dropdowns for parameters provided by
> URL addressability, so would we need to move the reporting server onto
> the webserver so that it would have the same domain?
> Any tips or links would be very much appreciated - I feel like a fish out
> of water at the moment :)
> Regards
> Darren Sim
>|||Thanks Bruce your help is much appreciated,
Just to clarify, at the moment our web app accepts a login from a user then
checks the details against a database, the returned values determine which
reports are made available and the links to these are then displayed on a
page.
If we were to move the reporting server onto our web server, would it just
be a case of turning on integrated security on the report server?
Thanks again
Darren
"Bruce L-C [MVP]" <bruce_lcNOSPAM@.hotmail.com> wrote in message
news:%235q3hphSHHA.4632@.TK2MSFTNGP04.phx.gbl...
> Crossing domains is an issue.
> Assuming on the same domain you should be able to assign domain users or
> domain groups to appropriate roles in RS. If they have been assigned
> appropriately then they should not be able to see or run reports they
> shouldn't. The way it works is that security starts with whatever roles
> have been assigned to the home directory/folder in report manager. All
> report/folders inherit from this. You can override at either the folder
> level or the report level. For instance, if there is folder that only
> management should see the reports then in Report Manager remove the group
> for browsing for that folder and add one that is just the managers. You
> can also do this for individual reports. My guess is that no-one
> understood how roles are used to secure the website. Regardless of whether
> you integrate this in with your web app, you need to understand this.
> Yes you can integrate in your own authentication, many people have. It is
> non-trivial but doable. However, if you have it on the same server as your
> web app then you can use integrated security, it will know who is
> connected to your web app and they will only be able to view the
> appropriate reports.
>
> --
> Bruce Loehle-Conger
> MVP SQL Server Reporting Services
> "Darren Sim" <darrens@.sirius.co.uk> wrote in message
> news:%234FzKGhSHHA.4756@.TK2MSFTNGP06.phx.gbl...
>> Hi folks,
>> I have been charged with the task of providing some security measures for
>> reporting services 2000 and unfortuneately I have found myself a bit out
>> of my depth (usually I am found developing desktop applications), I am
>> comfortable with any c# coding required but I'm finding the whole thing
>> rather confusing.
>> Our setup consists of a webserver and reporting server (on different
>> domains at the moment) We have a website that works as we wish,
>> displaying a list of reports based on the users logon details. However
>> we have found tht the reporting server can be accessed directly and with
>> a bit of playing around anyone can view (often sensitive) information.
>> The current site is written in ASP (not .NET), is it possible to 'wrap'
>> the existing site in an asp.net form so that we can use forms
>> authentication providing the necessary security to plug the hole?
>> To maintian useability we require the dropdowns for parameters provided
>> by URL addressability, so would we need to move the reporting server
>> onto the webserver so that it would have the same domain?
>> Any tips or links would be very much appreciated - I feel like a fish out
>> of water at the moment :)
>> Regards
>> Darren Sim
>|||Well, it sounds like your web app is not using integrated security. There
are two steps to security. One is authenticating who the user is. That can
be done with forms authentication (in which case you integrate in the
authentication from your web app with RS). Then the other is roles. If you
don't do the roles then the user can go directly to Report Manager web site
and get whatever report they want. So regardless of how you decide to
authenticate you need to still understand and use roles in RS.
Bruce Loehle-Conger
MVP SQL Server Reporting Services
"Darren Sim" <darrens@.sirius.co.uk> wrote in message
news:uPcxjxpSHHA.3948@.TK2MSFTNGP05.phx.gbl...
> Thanks Bruce your help is much appreciated,
> Just to clarify, at the moment our web app accepts a login from a user
> then checks the details against a database, the returned values determine
> which reports are made available and the links to these are then displayed
> on a page.
> If we were to move the reporting server onto our web server, would it just
> be a case of turning on integrated security on the report server?
> Thanks again
> Darren
>
> "Bruce L-C [MVP]" <bruce_lcNOSPAM@.hotmail.com> wrote in message
> news:%235q3hphSHHA.4632@.TK2MSFTNGP04.phx.gbl...
>> Crossing domains is an issue.
>> Assuming on the same domain you should be able to assign domain users or
>> domain groups to appropriate roles in RS. If they have been assigned
>> appropriately then they should not be able to see or run reports they
>> shouldn't. The way it works is that security starts with whatever roles
>> have been assigned to the home directory/folder in report manager. All
>> report/folders inherit from this. You can override at either the folder
>> level or the report level. For instance, if there is folder that only
>> management should see the reports then in Report Manager remove the group
>> for browsing for that folder and add one that is just the managers. You
>> can also do this for individual reports. My guess is that no-one
>> understood how roles are used to secure the website. Regardless of
>> whether you integrate this in with your web app, you need to understand
>> this.
>> Yes you can integrate in your own authentication, many people have. It is
>> non-trivial but doable. However, if you have it on the same server as
>> your web app then you can use integrated security, it will know who is
>> connected to your web app and they will only be able to view the
>> appropriate reports.
>>
>> --
>> Bruce Loehle-Conger
>> MVP SQL Server Reporting Services
>> "Darren Sim" <darrens@.sirius.co.uk> wrote in message
>> news:%234FzKGhSHHA.4756@.TK2MSFTNGP06.phx.gbl...
>> Hi folks,
>> I have been charged with the task of providing some security measures
>> for reporting services 2000 and unfortuneately I have found myself a bit
>> out of my depth (usually I am found developing desktop applications), I
>> am comfortable with any c# coding required but I'm finding the whole
>> thing rather confusing.
>> Our setup consists of a webserver and reporting server (on different
>> domains at the moment) We have a website that works as we wish,
>> displaying a list of reports based on the users logon details. However
>> we have found tht the reporting server can be accessed directly and with
>> a bit of playing around anyone can view (often sensitive) information.
>> The current site is written in ASP (not .NET), is it possible to 'wrap'
>> the existing site in an asp.net form so that we can use forms
>> authentication providing the necessary security to plug the hole?
>> To maintian useability we require the dropdowns for parameters provided
>> by URL addressability, so would we need to move the reporting server
>> onto the webserver so that it would have the same domain?
>> Any tips or links would be very much appreciated - I feel like a fish
>> out of water at the moment :)
>> Regards
>> Darren Sim
>>
>|||Thanks again Bruce
You are quite correct - the website set up for viewing reports does not use
integrated security. I have been looking at integrating forms
authentication, but hit a few snags - I think most of the problems are
simply down to a poor understanding of the RS configfiles and what needs to
be done.
We are also moving the reporting services on to the web server to address
the domain issue - I have been thinking of redoing the login page in .NET to
handle forms security, if the login has been successful then allow the user
to proceed to the current site.
At the moment I am using VS2005 and .NET 2.0 for desktop applications, for
RS200 do I neet to use .NET1.1 and VS2003? (I have access to both)
I will read up on roles to get a better understanding of what needs to be
done to enchance security.
Kind regards
Darren Sim
"Bruce L-C [MVP]" <bruce_lcNOSPAM@.hotmail.com> wrote in message
news:e9k5iLuSHHA.1228@.TK2MSFTNGP06.phx.gbl...
> Well, it sounds like your web app is not using integrated security. There
> are two steps to security. One is authenticating who the user is. That can
> be done with forms authentication (in which case you integrate in the
> authentication from your web app with RS). Then the other is roles. If you
> don't do the roles then the user can go directly to Report Manager web
> site and get whatever report they want. So regardless of how you decide to
> authenticate you need to still understand and use roles in RS.
>
> --
> Bruce Loehle-Conger
> MVP SQL Server Reporting Services
>|||Yes, RS 2000 is a 1.1 application. If your web site is 2.0 it can also run
1.1 for the RS websites.
As a 1.1 application you need to install VS 2003 and then install the report
designer.
If at all possible I would look at upgrading to RS 2005. It uses 2.0. It is
faster and has some important features (end user sorting, multi-select
parameters, calendar control to name a few).
Bruce Loehle-Conger
MVP SQL Server Reporting Services
"Darren Sim" <darrens@.sirius.co.uk> wrote in message
news:%23caBKv3SHHA.1200@.TK2MSFTNGP04.phx.gbl...
> Thanks again Bruce
> You are quite correct - the website set up for viewing reports does not
> use integrated security. I have been looking at integrating forms
> authentication, but hit a few snags - I think most of the problems are
> simply down to a poor understanding of the RS configfiles and what needs
> to be done.
> We are also moving the reporting services on to the web server to address
> the domain issue - I have been thinking of redoing the login page in .NET
> to handle forms security, if the login has been successful then allow the
> user to proceed to the current site.
> At the moment I am using VS2005 and .NET 2.0 for desktop applications, for
> RS200 do I neet to use .NET1.1 and VS2003? (I have access to both)
> I will read up on roles to get a better understanding of what needs to be
> done to enchance security.
> Kind regards
> Darren Sim
> "Bruce L-C [MVP]" <bruce_lcNOSPAM@.hotmail.com> wrote in message
> news:e9k5iLuSHHA.1228@.TK2MSFTNGP06.phx.gbl...
>> Well, it sounds like your web app is not using integrated security. There
>> are two steps to security. One is authenticating who the user is. That
>> can be done with forms authentication (in which case you integrate in the
>> authentication from your web app with RS). Then the other is roles. If
>> you don't do the roles then the user can go directly to Report Manager
>> web site and get whatever report they want. So regardless of how you
>> decide to authenticate you need to still understand and use roles in RS.
>>
>> --
>> Bruce Loehle-Conger
>> MVP SQL Server Reporting Services
>|||We are upgrading to sql 2005 and RS2005. This is only to act as a stop-gap
until this can be properly planned and carried out as having the reporting
server accessible by anyone obviously poses a security threat.
Unfortuneately this security hole was only discovered at the last minute
before making the service available to our clients. I have only been here
for 6 months and I'm pushing for all developement to be on the .net 2.0
framework, as I use this for the desktop applications and some of the code I
am using could be reused in the web applications. However we are a very
small operation and getting everyone up to speed takes time, not to mention
the task of doing everything over...
Thanks very much for your assistance Bruce, I think I have an idea of at
least where to begin.
Regards
Darren
"Bruce L-C [MVP]" <bruce_lcNOSPAM@.hotmail.com> wrote in message
news:OqLkrJ4SHHA.4632@.TK2MSFTNGP04.phx.gbl...
> Yes, RS 2000 is a 1.1 application. If your web site is 2.0 it can also run
> 1.1 for the RS websites.
> As a 1.1 application you need to install VS 2003 and then install the
> report designer.
> If at all possible I would look at upgrading to RS 2005. It uses 2.0. It
> is faster and has some important features (end user sorting, multi-select
> parameters, calendar control to name a few).
>
> --
> Bruce Loehle-Conger
> MVP SQL Server Reporting Services
>
> "Darren Sim" <darrens@.sirius.co.uk> wrote in message
> news:%23caBKv3SHHA.1200@.TK2MSFTNGP04.phx.gbl...
>> Thanks again Bruce
>> You are quite correct - the website set up for viewing reports does not
>> use integrated security. I have been looking at integrating forms
>> authentication, but hit a few snags - I think most of the problems are
>> simply down to a poor understanding of the RS configfiles and what needs
>> to be done.
>> We are also moving the reporting services on to the web server to address
>> the domain issue - I have been thinking of redoing the login page in .NET
>> to handle forms security, if the login has been successful then allow the
>> user to proceed to the current site.
>> At the moment I am using VS2005 and .NET 2.0 for desktop applications,
>> for RS200 do I neet to use .NET1.1 and VS2003? (I have access to both)
>> I will read up on roles to get a better understanding of what needs to be
>> done to enchance security.
>> Kind regards
>> Darren Sim
>> "Bruce L-C [MVP]" <bruce_lcNOSPAM@.hotmail.com> wrote in message
>> news:e9k5iLuSHHA.1228@.TK2MSFTNGP06.phx.gbl...
>> Well, it sounds like your web app is not using integrated security.
>> There are two steps to security. One is authenticating who the user is.
>> That can be done with forms authentication (in which case you integrate
>> in the authentication from your web app with RS). Then the other is
>> roles. If you don't do the roles then the user can go directly to Report
>> Manager web site and get whatever report they want. So regardless of how
>> you decide to authenticate you need to still understand and use roles in
>> RS.
>>
>> --
>> Bruce Loehle-Conger
>> MVP SQL Server Reporting Services
>>
>sql
Subscribe to:
Posts (Atom)