Right now the default folder is Home, what if I have two users User1 and User2, my folder structure is the following -
Home/User1
Home/User2
I want each user to only have access to their folder. That is easy to do.
Once both users have proper access to their folders they still don't have access to Home folder. In Report Builder when I do 'open file' it defaults to Home folder so I get an error. How can I specify the home folder to be User1 for that user and User2 for the second user? I know I can give them both browsing permissions to Home but it's not very elegant.
There must be a way to programmatically change the folder as soon as proper user logs in. Anyone knows how to do that?
Thanks.
Anybody?
How about this, is there a way to do custom folder access, for example a user who has a proper flag set in a custom DB can only have access to one set of models, another user to another and so on. None of this is in RS DB except for one big organizational user who has access to everything. I want to be able to restrict access on the fly so once the user logs in using custom DB credentials they can only have access to some things and not the others.
Thanks
|||
There's no way to change the home folder programmatically. What you can do is given everyone browser permission on the home folder and then content manager or publisher permission on their home/user1 folder.
Not sure if you're aware of the My Reports feature that essentially lets you not have to manage the creation of User1..N folders your self. Everyone would see a folder called "My Reports".
-Lukasz
|||Thanks for your answer. The solution you proposed is what I'm doing right now.As to My Reports, I am trying to get away from RS users/roles completely. We have all this defined in a custom DB and it's a real pain for me to make all that security work with RS.
Right now I'm trying to figure out how to get a folder name from CheckAccess so I can see in my DB if I should allow access to this folder from this user. Not sure if that's possible at all. Ideally my RS would only have one user (main RS admin) and the rest of the users/roles/permissions would be taken from a custom DB and inside my authentication extension I would give out permissions depending on that.
|||You can build your custom web that integrates your custom security (DB) with that you will be 100% positive that you are listing / giving the right access to the users.|||
Paul.G. wrote:
You can build your custom web that integrates your custom security (DB) with that you will be 100% positive that you are listing / giving the right access to the users.
I am not even using the web at this point. All the client is given is a link to Report Builder. There is a lot of underlying stuff other than the website that I have to deal with, that's the issue.
|||
RS does not expose the folder/path of the item being accessed to the security extension. We don't really support this scenario very well, but it is possible with enough determination :-).
The key thing is that the security descriptor stored with a given item in RS is entirely in the control of the authorization extension. The authorization extension builds the ACL, sets the group names, etc. You could try using it to store some relation information associated with the item. Then you'd use this information in your checkaccess method implementation to go look up the corresponding values in your own database.
The consequence of this approach is that assigning role based security in the RS UI/tools is likely to result in mismatches with your database. You'll want to write your own code to manage the security rights and not allow users to change it on the RS side.
Hope that helps,
-Lukasz
|||So you are saying that somehow I can relate acl info to something in my database to add more information to every entry while creating a descriptor?That sounds interesting. Is there some kind of a unique key I can tie this extra info to?
Thanks very much for the idea.
Code Snippet
public byte[] CreateSecurityDescriptor(
AceCollection acl,
SecurityItemType itemType,
out string stringSecDesc)
{
BinaryFormatter bf = new BinaryFormatter();
using (MemoryStream result = new MemoryStream())
{
bf.Serialize(result, acl);
stringSecDesc = null;
return result.GetBuffer();
}
}
|||Why doesn't CreateSecurityDescriptor execute on folder creation? Shouldn't the descriptor be created during that time?
And once again, is there any unique key (I guess it would be in acl) that I can tie custom stuff to (like have it as a uuid in my db which corresponds to whatever extra security I create)?
|||
Not sure of the specific reason, but the default is to inherit from parent.
Unique IDs - you should assigne a unique ID in your own database of items, for example you might use the rowguid. This will make it *much* eaiser to relate items in SRS to your database. It will also mean that the first step in item creation in SRS is to create the item in your own database. Natural consequences are 1) you need to build custom publishing/management interfaces in your application and 2) you'll need to ensure your applications service account has sufficient permission in RS to at least craete all items and 3) you don't want users publishing reports directly against SRS - this would invalidate your security extension model.
Hope that helps,
-Lukasz
No comments:
Post a Comment