Securing SSRS report parameter

0
votes

I have created an SSRS report which I am using in Asp.net website. Reports accepts server, database,user and password to create connection string dynamically. Dynamic connection string is required because user can select a database at the time of log-in and that database need to be used for SSRS.

One requirement is such that user should be able to create SSRS report himself. For the purpose I provided guideline that how to create parameters that are require data-source's dynamic connection string.

One possible problem I thought is if user do not make parameters as hidden, he will have database credential in clear text.

I thought of adding encryption at asp.net website and decryption in SSRS report but decryption function/code will be easily accessible at the time of designing.

Any idea how to overcome the situation?

1
reporting-servicesssrs-2008-r2
What parameters are you trying to keep hidden? Do you mean you're adding the user login info as parameters? If so, you should know to never save to save a password as cleartext. Just encrypt the password and save the encrypted password in your database, then simply encrypt the inserted parameter the same way and compare those. - Oceans
These parameter I am passing "Server name, database, userId and password" to create connection string dynamically in data source. Any how I send encrypted password in parameter, it need to be decrypted to create proper connection string in SSRS data source. I can also add custom code or function by adding custom assembly but same code will be accessible by user in Report Builder. - par
What dbms are you using, I assume SQL Server? Maybe you should take a good look at this: Specify Credential and Connection Information for Report Data Sources - Oceans
@Oceans, Thanks for providing good article but it is not fitting for the requirement anyway. yes its SQL Server. -Prompt the user for credentials :Not possible because some users can view report with provided website user/password. He will have no idea about DB. -Store credentials:Not possible because user will see data in website as well as in report by database selected at the time of log-in. database selection option is given at the time of log-in in website because there would be more than one database. so one report will show different data based on selected DB by the user.(1/2) - par
-Use Windows integrated security : Not possible because most of our client are not allowing use to use integrated security for database access. we need to use their provided credentials for all database access. -Use no credentials : we need to use client provided credentials for all database access. Correct me if i missed something from that article. (2/2) - par

1 Answers

1
votes

I suggested that the OP should read the following documentation:
Specify Credential and Connection Information for Report Data Sources

This were the remarks made by the OP:

  • Prompt the user for credentials :Not possible because some users can view report with provided website user/password. He will have no idea about DB.

  • Store credentials: Not possible because user will see data in website as well as in report by database selected at the time of log-in. Database selection option is given at the time of log-in in website because there would be more than one database. so one report will show different data based on selected DB by the user.

  • Use Windows integrated security : Not possible because most of our client are not allowing use to use integrated security for database access. we need to use their provided credentials for all database access.

  • Use no credentials : we need to use client provided credentials for all database access. Correct me if i missed something from that article

This is my response and answer to the presented problem:

You require a user to login to your website, as soon as the user is logged in you should be able to know who this user is. This also means that you can give a user specific rights/access to your application.
So you can use the Stored Credentials and more specifically use the Integrated Security.

Type                 |  Context for network connection  |  Data Source
-------------------- | -------------------------------- | -----------------
Integrated security  |  Impersonate the current user    | For all data source types, connect using the current user account

I believe the following documentation might be exactly what you're looking for.
How to: Secure Connection Strings When Using Data Source Controls

I would strongly recommend creating a new table containing data that specifies the different access levels to then have a junction table with the user table. This will make it easy to determine which user has access to which report and allow for an easy implementatuon of the Integraded Security.