Sunday, March 25, 2012

Customer Accounts Report

I am on security doubt on how to design a report that must show the accounts
of a customer.
I have an aspx page showing the customer info , then he must push a button a
see its accounts on a report generated by Reporting Services.
Obviously the report can not be accesed via a Customer parameters because
another users could see any customer 's accounts.
How can i solve it.
I am thinking in generating a temp table with a random id an pass it by
parameter, but it is only so as to reduce an intruder access.
ThanksHi Fernando,
If you are using ASP.NET you have more than one option:
1.- Storing in Sessions variables
2.- Using QueryString
3.- Using Server side code (static variables)
4.- Change the report viewer (passsing SOAP params)
The fact is the report params does not to be part of the URL you can easily
hide them using multiples techniques, depends how your app is designed you
may use some of them.
Thanks
Jerry
--
You can use this example to show you how to call the report params.
http://www.rdlcomponents.com/ASPExamples/Default.aspx?sm=b1_a
"Fernando Hunth" wrote:
> I am on security doubt on how to design a report that must show the accounts
> of a customer.
> I have an aspx page showing the customer info , then he must push a button a
> see its accounts on a report generated by Reporting Services.
> Obviously the report can not be accesed via a Customer parameters because
> another users could see any customer 's accounts.
> How can i solve it.
> I am thinking in generating a temp table with a random id an pass it by
> parameter, but it is only so as to reduce an intruder access.
> Thanks|||Thats true we have multiples techniques to pass parameters but not to avoid
access to those public parameters.
When a report is deployed , anyone (authenticated) can access to the report
and can access a report via URL and with the posibility of changing any
parameter value via URL.
That 's what i want to avoid. I am trying to investigate doing it with a
DataProcessingExtension
Thanks.
"Jerry" wrote:
> Hi Fernando,
> If you are using ASP.NET you have more than one option:
> 1.- Storing in Sessions variables
> 2.- Using QueryString
> 3.- Using Server side code (static variables)
> 4.- Change the report viewer (passsing SOAP params)
> The fact is the report params does not to be part of the URL you can easily
> hide them using multiples techniques, depends how your app is designed you
> may use some of them.
> Thanks
> Jerry
> --
> You can use this example to show you how to call the report params.
> http://www.rdlcomponents.com/ASPExamples/Default.aspx?sm=b1_a
> "Fernando Hunth" wrote:
> > I am on security doubt on how to design a report that must show the accounts
> > of a customer.
> > I have an aspx page showing the customer info , then he must push a button a
> > see its accounts on a report generated by Reporting Services.
> > Obviously the report can not be accesed via a Customer parameters because
> > another users could see any customer 's accounts.
> > How can i solve it.
> >
> > I am thinking in generating a temp table with a random id an pass it by
> > parameter, but it is only so as to reduce an intruder access.
> >
> > Thanks|||Check out this link:
http://www.codeproject.com/useritems/SQLRSViewer.asp#TheCodeBehind
It's an ASP.NET app that lets you recreate the entire look of the report
viewer. It also give you flexibilty in what you feed the report.
I was able to use this program and feed in my own parameters. The report
will display and no parameters are visible in the URL.
Look for the variable 'reportParameterValues2' in the code. It's a array
that stores the parameters for your report.
Hope this helps, or at least gets you started.
"Fernando Hunth" wrote:
> Thats true we have multiples techniques to pass parameters but not to avoid
> access to those public parameters.
> When a report is deployed , anyone (authenticated) can access to the report
> and can access a report via URL and with the posibility of changing any
> parameter value via URL.
> That 's what i want to avoid. I am trying to investigate doing it with a
> DataProcessingExtension
> Thanks.
>
> "Jerry" wrote:
> > Hi Fernando,
> >
> > If you are using ASP.NET you have more than one option:
> >
> > 1.- Storing in Sessions variables
> > 2.- Using QueryString
> > 3.- Using Server side code (static variables)
> > 4.- Change the report viewer (passsing SOAP params)
> >
> > The fact is the report params does not to be part of the URL you can easily
> > hide them using multiples techniques, depends how your app is designed you
> > may use some of them.
> >
> > Thanks
> > Jerry
> > --
> > You can use this example to show you how to call the report params.
> > http://www.rdlcomponents.com/ASPExamples/Default.aspx?sm=b1_a
> >
> > "Fernando Hunth" wrote:
> >
> > > I am on security doubt on how to design a report that must show the accounts
> > > of a customer.
> > > I have an aspx page showing the customer info , then he must push a button a
> > > see its accounts on a report generated by Reporting Services.
> > > Obviously the report can not be accesed via a Customer parameters because
> > > another users could see any customer 's accounts.
> > > How can i solve it.
> > >
> > > I am thinking in generating a temp table with a random id an pass it by
> > > parameter, but it is only so as to reduce an intruder access.
> > >
> > > Thanks|||Yes, i previously took a look a this project, but that is another client
solution wher you can pass parameters to a public report.
"Hausbro" wrote:
> Check out this link:
> http://www.codeproject.com/useritems/SQLRSViewer.asp#TheCodeBehind
> It's an ASP.NET app that lets you recreate the entire look of the report
> viewer. It also give you flexibilty in what you feed the report.
> I was able to use this program and feed in my own parameters. The report
> will display and no parameters are visible in the URL.
> Look for the variable 'reportParameterValues2' in the code. It's a array
> that stores the parameters for your report.
> Hope this helps, or at least gets you started.
> "Fernando Hunth" wrote:
> > Thats true we have multiples techniques to pass parameters but not to avoid
> > access to those public parameters.
> > When a report is deployed , anyone (authenticated) can access to the report
> > and can access a report via URL and with the posibility of changing any
> > parameter value via URL.
> > That 's what i want to avoid. I am trying to investigate doing it with a
> > DataProcessingExtension
> >
> > Thanks.
> >
> >
> >
> > "Jerry" wrote:
> >
> > > Hi Fernando,
> > >
> > > If you are using ASP.NET you have more than one option:
> > >
> > > 1.- Storing in Sessions variables
> > > 2.- Using QueryString
> > > 3.- Using Server side code (static variables)
> > > 4.- Change the report viewer (passsing SOAP params)
> > >
> > > The fact is the report params does not to be part of the URL you can easily
> > > hide them using multiples techniques, depends how your app is designed you
> > > may use some of them.
> > >
> > > Thanks
> > > Jerry
> > > --
> > > You can use this example to show you how to call the report params.
> > > http://www.rdlcomponents.com/ASPExamples/Default.aspx?sm=b1_a
> > >
> > > "Fernando Hunth" wrote:
> > >
> > > > I am on security doubt on how to design a report that must show the accounts
> > > > of a customer.
> > > > I have an aspx page showing the customer info , then he must push a button a
> > > > see its accounts on a report generated by Reporting Services.
> > > > Obviously the report can not be accesed via a Customer parameters because
> > > > another users could see any customer 's accounts.
> > > > How can i solve it.
> > > >
> > > > I am thinking in generating a temp table with a random id an pass it by
> > > > parameter, but it is only so as to reduce an intruder access.
> > > >
> > > > Thanks|||Ok.
I decided to write some sample code for the solution i was thinking about
generating a temp table with a random id an pass it by
parameter, or something like this.
I 'll publish it in somewhere.
I 'll go on writing on my blog
http://msdevelopers.blogspot.com/2005/03/reporting-services-filtering.html
Fernando Hunth
Senior Developer
Huddle Group S.A.
fernando@.huddle.com.ar
Huddle Group S.A. | Enterprise Technology Services
Microsoft Certified Partner
Ciudad de Buenos Aires · Argentina
www.huddle.com.ar
"Fernando Hunth" wrote:
> I am on security doubt on how to design a report that must show the accounts
> of a customer.
> I have an aspx page showing the customer info , then he must push a button a
> see its accounts on a report generated by Reporting Services.
> Obviously the report can not be accesed via a Customer parameters because
> another users could see any customer 's accounts.
> How can i solve it.
> I am thinking in generating a temp table with a random id an pass it by
> parameter, but it is only so as to reduce an intruder access.
> Thanks

No comments:

Post a Comment