I have integrated reporting services into the web application using the reporting web services. My web application has it's security model.
What is the best to implement security in this integrated scenario?

I would love to help you, but I need more information. What is the security model of the application? What is your environment? ( standalone servers, domain, etc...) What kind of security do you want?

Our web application is an intranet application with Role Based Security model. I am thinking about ignoring the security at the report server level and treating the reports as resources at the application. Then I can display the list of reports (programatically) that the user is authorized based on the role at the application level.

When you say "Role" based security, I am assuming that you are using Windows authentication and authorization, and that you are using "Windows groups" to define your roles. If this is the case, you may turn impersonation on, then execute code against the Reporting Web Service. The reporting service will return resources( reports) that the current user has access to. You can then incorporate that into your app so that the users get access to what they need. You should't have to do anything special because the web service only returns reports that the user can access.

If you are using some kind of custom "role based" security then your task is more difficult, and you will have to do ALOT more work. I can point you in the right direction if you MUST take this route.

T

Todd Bryant
MCSD,MCDBA,MCSE,MCT

tabryant,

I have a similar queston about permissions and security. Can you take a look an this post and let me know what you think?

http://p2p.wrox.com/topic.asp?TOPIC_ID=15196

Thanks!

Chris

I am using 'custom' role based authorization. Authentication and Authorization is done by the home grown security module which is based on the data (user/roles) in the database.

Thanks a lot for your support.

If you are using custom, then you either have to filter the content in some custom manner, or you will have to create your own security extension.

MS made some undocumented changes that I didn't discover until after the book shipped. There is a note in the "Extending" chapter that is almost right. They included support by creating an interface called "IAuthenticationExtension" that you can implement in a custom way. It can be done, but there is no documentation.

Download exploration tool "Reflector" from

http://www.aisto.com/roeder/dotnet/

This will enable you to explore the Reporting services DLLS to find out what you need to do. I will include this in the 2nd edition of the book.

Good Luck,



Todd Bryant
MCSD,MCDBA,MCSE,MCT

I have an application with custom security too, all users can access al reports but the information to be showed may vary depending on their permissions, how should i filter information?, ive thought of creating a custom data processing extension but it seems like a dificult task, besides the data is already in sql server.

Could i create functions similar to the ones used for custom formatting, and use them to filter data?

Your only choice is to build something custom if you don't want to use Windows security. Here are some of your options.

1) Implement a custom security extension. The technique is undocumented, and I am not ready to release anything on it at this time. It is unsupported, but it can be done.

2) Do your filtering at the application level, and only provide links to reports that the user should have access to.

3) Build a custom data store that has user permissions that you filter on at runtime. Typically this would be a database table.






Todd Bryant
MCSD,MCDBA,MCSE,MCT