RSS Feed
Download our iPhone app
Browse DevX
Sign up for e-mail newsletters from DevX


Harden MS Reporting Services Using Custom Extensions : Page 4

An incredibly flexible extensibility model is included with Microsoft Reporting Services and hammering down a custom security model is one smart way to take advantage. Shore up your implementation with forms authentication and role membership.

Introducing the Adventure Works Portal
This article uses the example of a fictitious company called Adventure Works Cycles. This company would like to enhance their Internet Web portal by allowing its customers to generate reports. Adventure Works manufactures and sells bikes and bike accessories throughout the world to individuals and retails stores. As typical with many popular online stores, one of the first reports which should be added to the Adventure Works Internet portal is the order history report which will allow the customers to see the items they have ordered in the past (see Figure 2).

Figure 2. The Order History Report: This report has interactive features and includes the HTML Viewer toolbar.

As shown on Figure 2, Adventure Works has decided to leverage the interactive features supported by RS to provide the best reporting experience to their customers. Specifically, the report allows the end user to drill down a given order by clicking on the plus sign to expand it and see the order items. In addition, the report includes the handy HTML Viewer toolbar at the top that allows the users to easily export the report in different popular formats, such as PDF, Excel, etc. Had this report been authored to take parameters, the HTML Viewer would have included placeholders for each parameter. Please note that with RS all this comes out of the box without writing a single like of code.

Report interactive features are available only with URL addressability and require direct access to the report server. For example, when the user drills down a given order, the HTML Viewer framework submits an HTTP-GET request to the report server to fetch and render the order details. Therefore, to integrate successfully the Web front-end with RS, you need to implement the following reporting requirements:

  1. The customer has to be authenticated before s/he can request reports.
  2. Report-enabling the application should not compromise security. Implementing a custom security extension enforces restricted access to the report server.
  3. Authenticate end-users against a user profile store. In this case, the profile store is represented by the table Individuals in the AdventureWorks2000 database.
  4. Implement horizontal data filtering at the data source based on the user identity to ensure that a customer can see only her orders. The customer orders report passes the customer identifier to the WHERE clause of the report query. The custom security extension uses the customer identifier to authenticate the user, and you obtain the customer identifier from the standard RS User collection (User!UserId).
Implement the necessary infrastructure to provide administrator level access to the report server using a designated admin account. For easier maintenance, the admin credentials are specified in the RSReportServer.config file.Support assigning customers to application-defined groups for easier maintenance. Creating role-based security policies for individual Web customers is often impractical. Instead, a better approach is to assign customers to groups, e.g. Gold and Platinum groups.

Implementing RS Forms Authentication
Developers familiar with interface-based programming should find implementing RS custom security straightforward. I highly recommend you review the "Using Forms Authentication in Reporting Services" whitepaper by Microsoft for additional information about RS custom security.

Close Icon
Thanks for your registration, follow us on our social networks to keep up-to-date