February 27, 2009 at 3:18 am
Hi - Does anyone know if it is possible to determine if a user id is a member of an Active Directory group - possibly using Custom Code in Report properties?
I have built a set of drill through reports to show various related information about properties owned by my organisation. One of the reports shows, for example, the location of water stop cocks and gas shut off taps. Another shows the financial information such as the value of the property. Clearly a maintenance engineer should not be seeing financial information and the Finance Director is not really interested in where to switch off the water supply. Access to the reports, using Reporting Manager, is given to an Active Directory account who is a member of an Active Directory group. The Active Directory group is set up as a Browser Role Assignment. The top level report is called from another web application (that I have no control over) by supplying the URL to the report together with the key of the property to be reported on. So I cannot have two sperate reports - one with the finance button and one with the maintenance button.
My thought is to create two sperate Active Directory groups - in this example there would be a Maintenance Group and a Finance Group. I know that the user id is available as a Global Variable that can be used in Expressions. But is it possible to determine whether that user id is a member of the Active Directory group.
For example:
If UserId is member of Finance group then show the link button to finance reports.
If this is not possible can anyone suggest a possible different way to solve my problem?
I hope this makes some sense and further hope that help is available.
Thanks in anticipation
Les
February 27, 2009 at 10:22 am
I don't think you have a security problem but rather reports design issue because if you are using another reports tool there is no valid reason for a finance director to share a report with maintenance engineer.
So move the data needed for finance director to a view and maintenance engineer to another view and create a report for each.
Kind regards,
Gift Peddie
March 3, 2009 at 2:42 am
Gift Peddie - Many thanks for your consideration and reply.
I'm new to the use of forums and I probably did not explain my problem clearly enough.
The web application that supplies the URL to my set of reports is a map. I don't know who is clicking on a section of the map, thereby indicating which property is of interest, until they arrive at my top level report. Then I can determine their active directory account using the custom code feature of the report properties. My idea was to separate the different user types into active directory group accounts and give all groups access to the top level report. I would display the relevant links depending upon which group the user is a member of. It would not be right to display a link and then deny access after it has been clicked! We all know how annoying that can be.
I may be trying to be too ambitious and pushing the bounds of reporting services too far. And perhaps I'm expecting too much of the custom code feature. But what I'm trying to do is write something that says, for example,
"IF the activeDirectoryAccount is a member of financeGroup
THEN set financeButton.visible = true
ELSE set financeButton.visible = false"
I hope this explains the problem a little better and why I would need the top level report to determine user status.
Still hoping for help on this!
Thanks
Les
March 3, 2009 at 7:58 am
I may be trying to be too ambitious and pushing the bounds of reporting services too far. And perhaps I'm expecting too much of the custom code feature. But what I'm trying to do is write something that says, for example,
"IF the activeDirectoryAccount is a member of financeGroup
THEN set financeButton.visible = true
ELSE set financeButton.visible = false"
You not being ambitious you are just using the wrong tool, SSRS Expression was not created to implement authorization that is covered in Asp.net security. So put your reports for each group in a folder and add the users name to the folder, remember to leave the everybody group alone because SSRS and Asp.net are also member of that group. If you remove the everybody group and your code will not run.
Kind regards,
Gift Peddie
March 3, 2009 at 8:39 am
Gift Peddie
Once again thanks for your reply. I'll try to put into practice your suggestion.
Kind regards
Les
March 4, 2009 at 8:35 am
I hope this doesn't sound too obvious, but do you have access to the employee/department data? If so, can't you use the user ID from Reporting Services to lookup the user's department? This is how we have implemented the ability to show specific data to specific users.
Hope this helps!
Michael R.
March 4, 2009 at 9:31 am
Michael - thank you for your reply.
Grasping inspiration from advice provided by Gift Peddie and yourself I've put together a cunning plan.
I'm requesting read access to our active directory system. That should let me check if an individual is a member of an AD group. I'll need to put a VB.net program between the map application and my set of reports. The VB will have a switch depending upon the result of interrogating the active directory database and send the user to the relevant top level report (one version for finance and the other for maintenance).
I doubt this will be the most elegant solution but I'll give it a try.
Thanks once again for the help given by you and Gift Peddie.
Kind regards
Les
March 5, 2009 at 12:19 pm
I think this could be your solution
1. Create a dll in ASP.Net which checks if the user belongs to Active directory group or not. You can pass the parameter.
Some reference code can be foudn at
http://www.codeproject.com/KB/IP/StorerActiveDirectory.aspx
2. Deploy the dll on report server
3. Call the function which is defined in the dll to check the user.. pass username as parameter.
I hope this helps
March 6, 2009 at 3:07 am
Reportmaker - Thank you for your reply. I'll be checking out your suggestions.
This is the first time I've asked for help on any forum. I'm glad I chose SQL ServerCentral. I've been really impressed by the response and thank everyone who has offered possible solutions. I'm even tempted to use one of the funny faces. 🙂
Kind regards
Les
Viewing 9 posts - 1 through 8 (of 8 total)
You must be logged in to reply to this topic. Login to reply