March 23, 2009 at 5:49 am
I am having a 'debate' in my office with a member of our MI team regarding how to secure the reports he is writing is reporting services. As our DBA I am pushing for him to use integrated AD security to control access to reports. He is adamant that this creates an administrative burden and would prefer to use SQL security.
I don`t know enough about reporting services and how it works to really understand his concerns. Can anyone give a simple explanation as to the problems with AD. Or a link to any documentation would be great.
March 23, 2009 at 11:41 am
Are you talking about the individual reports or are you talking about the way SSRS is connecting to your database to retrieve information?
If he's talking about the actual data connection, then maybe I could buy the admin burden stuff, but that all depends on how the data is being accessed? Is it by views/stored procedures only or is it actually at the table level? How many rights do you really want to give your average Bob Smith from accounting within your DB? Just granting him execute on certain stored procedures and views could be as easy or as hard as you make it and it really doesn't matter if you're using SQL users or AD users/groups. It comes down to the same thing only allow the users to do what they really need to be able to do. Principle of least privileges and such. (Actually AD groups would be easier 'cause you probably already have that in place for other things like file shares and such and it would e easy to integrate into the db.)
If instead he's talking about the individual reports themselves and how a user would access them, integrated Windows Auth probably makes the most sense. Basically you setup a few roles, what type of user can see which reports/folders. Then you add your AD groups to those roles and you're done. I'm wondering how this could possibly be a burden? All he has to do is deploy the reports to the appropriate folder and it begins to inherit the folder's properties just like a file share or anything else with inheritable permissions.
Check "Setting Permissions in Reporting Services " in BOL. It walks you through how to set up some basic security.
Hope that helps a little.
-Luke.
March 23, 2009 at 3:51 pm
Ask how burdensome it is for users to have more than one password and userid? Ask him how burdensome it is to reset non AD passwords people forget. Ask him how it could be less burdensome to manage password expirations and resets for double the amount of user ids and passwords. This is basic stuff. Integrated security beats the pants off anything else and is a major reason I love reporting services. Always head in the direction of single sign on. It is always better. 🙂
Viewing 3 posts - 1 through 2 (of 2 total)
You must be logged in to reply to this topic. Login to reply