May 31, 2006 at 1:53 pm
I am trying to create a website where all users will have access to all reports, but will only be able to view the results for their userid. I have the userid as a parameter for the reports, but I can't seem to figure out how to use it for authentication/authorization.
Passing it in the query string doesn't seem like a good idea, as userid's are consecutive numbers so other users could probably guess userid's to try. Seems like there must be a way to do this although I can't find it.
Thanks!
May 31, 2006 at 2:41 pm
Reporting Services authentication is done via windows Authentication, If the user is not using windows auth then you will need to build your own front end page with login/authentication, then pass the report request and userID to reporting services thru a query string and return it to your application.
If you are using windows authentication, your going to have to map the app userid and the windows login name. and use the userID global passed into the proc to find the "UserID"
May 31, 2006 at 3:00 pm
Yes I forgot to include that I would like to use forms authentication. I have the page with login/authentication. The problem is passing the parameters in the querystring, it doesn't seem to me to be a secure way, as userid = 1 could probably guess the that there is a userid=2 and just view all reports, by guessing consecutive numbers.
May 31, 2006 at 3:41 pm
Give this a read, perhaps it will help
http://blogs.msdn.com/tudortr/archive/2004/07/20/189398.aspx
June 1, 2006 at 7:19 am
I had an identical problem.
I sorted it by giving each user a 4 digit PIN number. I passed 2 parameters : user_id and User_pin
So, the user id might be guess-able, but as long as the user kept the PIN number secret, job done !
Sunil
Viewing 5 posts - 1 through 4 (of 4 total)
You must be logged in to reply to this topic. Login to reply