ReportViewer and Reporting Services 2008 RRS feed

  • Question

  • I'm not quite sure I understand this very well but what security measurements should i consider when I am using ReportViewer control on ASP Website for the internet. Are we only securing the actual page that contains the ReportViewer control or do we consider the actual security in Reporting Services..

    Like I can see in ReportManager that we can set up security roles etc. But can ReportViewer be accessed by anyone that's viewing the page?

    From my understanding when accessing the actual URL of the report or Reporting Manager you have to use your own custom security extentions to allow access.. Is this the case for ASP pages running a ReportViewer control? Because it all seems so simple. The site already has its own authentication mechanism, do i have to consider anything else other then access to the actual page?

    Is there any disadvantages of using reportviewer compared to getting the the reports from reporting services web server?

    So far from my research I understand the only security we need to take care of, regarding the reportviewer, is the soap datatransfer (which hopefully will use SSL) and the actual DataSource for the reports. Which right now i'm consider using a default SQL Authentication account, is that ok?

    Sorry If I confused everyone.. I'm just a young paranoid DBA :( so any help will be much appreciated

    Thank you
    • Edited by tarikk Thursday, July 10, 2008 4:04 AM cleared a thing or two up
    Thursday, July 10, 2008 4:01 AM

All replies

  • There are really two users you are talking about when using the ReportViewer web control in server mode: the user connecting to the web page, and the user being used to connect the report server.

    The report viewer itself is just a control on the page.  Once a user has been authorized to view the page, they will be able to see the viewer on the page just as they would any text box, button, etc.  That is up to your application to decide.  There are a some impersonation settings in ASP.Net as well as in IIS to determine how a user is authenticated and authorized to view a page.

    When the report viewer connects to the report server to render a report, it must connect as a user that is authorized to view the report.  That authorization is controlled by the server, as you noted.  By default, the report viewer will connect to the report server as the user the ASP.Net thread is running as.  But it doesn't have to.  The authentication used by the report viewer can be changed via the IReportServerCredentials interface (http://msdn.microsoft.com/en-us/library/microsoft.reporting.webforms.ireportservercredentials.aspx).  It's quite common for a web site to allow a variety of users to connect to it, but always communicate with the report server as different, constant user.
    Thursday, July 10, 2008 9:43 PM
  • Wait, so there is a user that connects the ReportViewer to the ReportServer? This has nothing to do with the Report's Datasource to retrieve the data for the report, right?

    Or, you are talking about the reports datasource? Because SQL AUthentication would solve this problem... But just the fact that impersonating NT Authentication is the standard approach?

    Thanks for ur reply
    Sunday, July 13, 2008 9:44 PM