Friday, March 30, 2012

Investigating Custom Security

Hi everyone,
At the moment, my company is looking at ways to offer data hosting to our
customers. As far as Reporting Services goes, the current idea is that they
would contact a Report Server hosted by us externally. As a result, we are
looking at which security options are best and would appreciate some insight
if anyone has any suggestions.
At the moment, the idea is to have a single report server with different
folders for each customer. We would like to implement security so that each
customer can see their own folder, but no-one else can, and no-one can see
the directory of folders. It does not appear to be feasible to do this with
windows role-based security, so we are looking at writing our own custom
security extension. The problem here is that there does not seem to be a
way, when dealing with AceStructs, for example, to monitor which folder the
user is in.
Anyway, my questions are:
1. Is this whole approach wrong-headed, i.e. do we really need to have a
different ReportServer for each customer? We would like to avoid this if
possible.
2. If we do use the same server with different folders, what is the best
way to check what folder the user is in and whether that is their correct
folder (in, for example, the IAuthorizationExtension.CheckAccess implemented
method)?
As ever, any help very much appreciated.
Ed AllisonWe implemented something incredibly similar. You don't need to know what
folder the user is in CheckAccess because thats part of the ACL associated
with it. You assign users (or groups) particular access to different
folders. Check Access will do the rest of the work
so if you had 2 folders in the root for
/ClientA
/ClientB
and neither wants to see the other... (well you don't want them too)
you would assign permissions for the group to clienta for clienta folder,
and clientb for clientb folder.
Now they may be able to see the folder, but if they try to access it, it
gets access denied.
Otherwise, it sounds like your trying to re-write CheckAccess in almost the
same way it is now... just think about it a bit differently.
"Ed Allison" <ed@.optix.co.uk> wrote in message
news:OP6TJBCSGHA.5908@.TK2MSFTNGP14.phx.gbl...
> Hi everyone,
> At the moment, my company is looking at ways to offer data hosting to our
> customers. As far as Reporting Services goes, the current idea is that
> they
> would contact a Report Server hosted by us externally. As a result, we
> are
> looking at which security options are best and would appreciate some
> insight
> if anyone has any suggestions.
> At the moment, the idea is to have a single report server with different
> folders for each customer. We would like to implement security so that
> each
> customer can see their own folder, but no-one else can, and no-one can see
> the directory of folders. It does not appear to be feasible to do this
> with
> windows role-based security, so we are looking at writing our own custom
> security extension. The problem here is that there does not seem to be a
> way, when dealing with AceStructs, for example, to monitor which folder
> the
> user is in.
> Anyway, my questions are:
> 1. Is this whole approach wrong-headed, i.e. do we really need to have a
> different ReportServer for each customer? We would like to avoid this if
> possible.
> 2. If we do use the same server with different folders, what is the best
> way to check what folder the user is in and whether that is their correct
> folder (in, for example, the IAuthorizationExtension.CheckAccess
> implemented
> method)?
> As ever, any help very much appreciated.
> Ed Allison
>
>|||You have to enable "My Reports" feature in the Reporting services and refer
your customers to "My Reports" folder upon login.
Everyone will have its own and you don't have to know, what is the real name
of the folder is - just use "My Reports" path.
But you are going to face a challenge of accessing shared reports in a fixed
folder - use parameter encryption in that case.
--
Oleg Yevteyev,
San Diego, CA
It is OK to contact me with a contracting opportunity.
"myfirstname"001atgmaildotcom.
Replace "myfirstname" with Oleg.
--
"Ed Allison" <ed@.optix.co.uk> wrote in message
news:OP6TJBCSGHA.5908@.TK2MSFTNGP14.phx.gbl...
> Hi everyone,
> At the moment, my company is looking at ways to offer data hosting to our
> customers. As far as Reporting Services goes, the current idea is that
> they
> would contact a Report Server hosted by us externally. As a result, we
> are
> looking at which security options are best and would appreciate some
> insight
> if anyone has any suggestions.
> At the moment, the idea is to have a single report server with different
> folders for each customer. We would like to implement security so that
> each
> customer can see their own folder, but no-one else can, and no-one can see
> the directory of folders. It does not appear to be feasible to do this
> with
> windows role-based security, so we are looking at writing our own custom
> security extension. The problem here is that there does not seem to be a
> way, when dealing with AceStructs, for example, to monitor which folder
> the
> user is in.
> Anyway, my questions are:
> 1. Is this whole approach wrong-headed, i.e. do we really need to have a
> different ReportServer for each customer? We would like to avoid this if
> possible.
> 2. If we do use the same server with different folders, what is the best
> way to check what folder the user is in and whether that is their correct
> folder (in, for example, the IAuthorizationExtension.CheckAccess
> implemented
> method)?
> As ever, any help very much appreciated.
> Ed Allison
>
>|||I'll look into that. Thanks for your help.
"Oleg Yevteyev" <myfirstname001atgmaildotcom> wrote in message
news:%23xh9mOJSGHA.5728@.tk2msftngp13.phx.gbl...
> You have to enable "My Reports" feature in the Reporting services and
> refer your customers to "My Reports" folder upon login.
> Everyone will have its own and you don't have to know, what is the real
> name of the folder is - just use "My Reports" path.
> But you are going to face a challenge of accessing shared reports in a
> fixed folder - use parameter encryption in that case.
> --
> Oleg Yevteyev,
> San Diego, CA
> It is OK to contact me with a contracting opportunity.
> "myfirstname"001atgmaildotcom.
> Replace "myfirstname" with Oleg.
> --
> "Ed Allison" <ed@.optix.co.uk> wrote in message
> news:OP6TJBCSGHA.5908@.TK2MSFTNGP14.phx.gbl...
>> Hi everyone,
>> At the moment, my company is looking at ways to offer data hosting to our
>> customers. As far as Reporting Services goes, the current idea is that
>> they
>> would contact a Report Server hosted by us externally. As a result, we
>> are
>> looking at which security options are best and would appreciate some
>> insight
>> if anyone has any suggestions.
>> At the moment, the idea is to have a single report server with different
>> folders for each customer. We would like to implement security so that
>> each
>> customer can see their own folder, but no-one else can, and no-one can
>> see
>> the directory of folders. It does not appear to be feasible to do this
>> with
>> windows role-based security, so we are looking at writing our own custom
>> security extension. The problem here is that there does not seem to be a
>> way, when dealing with AceStructs, for example, to monitor which folder
>> the
>> user is in.
>> Anyway, my questions are:
>> 1. Is this whole approach wrong-headed, i.e. do we really need to have a
>> different ReportServer for each customer? We would like to avoid this if
>> possible.
>> 2. If we do use the same server with different folders, what is the best
>> way to check what folder the user is in and whether that is their correct
>> folder (in, for example, the IAuthorizationExtension.CheckAccess
>> implemented
>> method)?
>> As ever, any help very much appreciated.
>> Ed Allison
>>
>|||Thanks for your answer Chris. You are correct. I was working on the false
assumption that it would be necessary to completely re-write CheckAccess. I
see that this is not necessary, and that will save me a lot of time.
"Chris Taylor" <ctaylor7480@.newsgroups.nospam> wrote in message
news:ejiAGRFSGHA.4384@.tk2msftngp13.phx.gbl...
> We implemented something incredibly similar. You don't need to know what
> folder the user is in CheckAccess because thats part of the ACL associated
> with it. You assign users (or groups) particular access to different
> folders. Check Access will do the rest of the work
> so if you had 2 folders in the root for
> /ClientA
> /ClientB
> and neither wants to see the other... (well you don't want them too)
> you would assign permissions for the group to clienta for clienta folder,
> and clientb for clientb folder.
> Now they may be able to see the folder, but if they try to access it, it
> gets access denied.
> Otherwise, it sounds like your trying to re-write CheckAccess in almost
> the same way it is now... just think about it a bit differently.
>
>
> "Ed Allison" <ed@.optix.co.uk> wrote in message
> news:OP6TJBCSGHA.5908@.TK2MSFTNGP14.phx.gbl...
>> Hi everyone,
>> At the moment, my company is looking at ways to offer data hosting to our
>> customers. As far as Reporting Services goes, the current idea is that
>> they
>> would contact a Report Server hosted by us externally. As a result, we
>> are
>> looking at which security options are best and would appreciate some
>> insight
>> if anyone has any suggestions.
>> At the moment, the idea is to have a single report server with different
>> folders for each customer. We would like to implement security so that
>> each
>> customer can see their own folder, but no-one else can, and no-one can
>> see
>> the directory of folders. It does not appear to be feasible to do this
>> with
>> windows role-based security, so we are looking at writing our own custom
>> security extension. The problem here is that there does not seem to be a
>> way, when dealing with AceStructs, for example, to monitor which folder
>> the
>> user is in.
>> Anyway, my questions are:
>> 1. Is this whole approach wrong-headed, i.e. do we really need to have a
>> different ReportServer for each customer? We would like to avoid this if
>> possible.
>> 2. If we do use the same server with different folders, what is the best
>> way to check what folder the user is in and whether that is their correct
>> folder (in, for example, the IAuthorizationExtension.CheckAccess
>> implemented
>> method)?
>> As ever, any help very much appreciated.
>> Ed Allison
>>
>

No comments:

Post a Comment