RSS Feed
Download our iPhone app
Browse DevX
Sign up for e-mail newsletters from DevX


Harden MS Reporting Services Using Custom Extensions : Page 5

An incredibly flexible extensibility model is included with Microsoft Reporting Services and hammering down a custom security model is one smart way to take advantage. Shore up your implementation with forms authentication and role membership.

Setting Up the Forms Authentication
Once you download and unzip the sample code package accompanying this article, open the FormsAuthentication.sln file in VS.NET 2003. You will see three projects: AdventureWorks.Extensibility, Reports, and Web. The customer security extension is implemented in the AdventureWorks.Extensibility project. The Reports project is a business intelligence project that contains the customer orders report sample. Finally, the Web project simulates the Adventure Works Web portal.

Figure 3. RS Role-based Security: Configure RS role-based security by logging as an administrator to the Report Manager portal.

Since the most difficult part in implementing custom security is configuring the security extension properly, detailed step-by-step instructions are provided in the readme.htm file. In addition, you can find copies of the report manager and report server configuration files in the Configuration Files folder. Please use these files as reference only! Do not just copy them and replace your configuration files.

Once the custom security extension is configured properly, it is time to configure the RS role-based security and grant selected end users Browser rights to the folder that contains the Customer Orders report (the folder name is FormsAuthentication by default). To configure the RS security, follow these steps:

  1. Open your browser and navigate to the report manager portal. Make sure to specify the computer name (not localhost): http://<my computer name/reports.>
  2. You should see the report manager login form (the UILogon.aspx page in the AdventureWorks.Extensibility project) as shown in Figure 3. Log in using admin credentials (both 'admin' as user id and password).
  3. Navigate to the FormsAuthentication folder. If you don't see it, deploy the Reports project to the report server.
  4. Click on the Properties tab and then on the Security link. Grant a few customers Browser rights to the Forms Authentication folder, as shown in Figure 4.
Figure 4. The Forms Authentication Folder: Use the Report Manager to set up role-based security with RS Forms Authentication.

Each time you add a new customer, the report server will call IAuthenticationExtension.IsValidPrincipalName in the custom security extension to verify the user name. This implementation of IsValidPrincipalName simply queries the Individual table in the AdventureWorks2000 database to determine if a record with this customer identifier is found. Though this code sample uses the customer identifier (column CustomerID) to identify Web customers, you can choose whatever identifier you want, e.g. Employee SSN.

Please note that the purpose of the IsValidPrincipalName method is just to verify that a user with such an identifier exists, it is not meant to authenticate the user. This is similar to verifying the user identity or group name when the RS Windows-based security is used. The actual user authentication is performed in the IAuthenticationExtension.LogonUser method.

Once the Adventure Works customers have been granted access, they are all set to request reports. However, to do so they have to first log in to the Adventure Works Web portal.

Close Icon
Thanks for your registration, follow us on our social networks to keep up-to-date