I'm considering using the Microsoft.ReportViewer.WebForms ReportViewer control on an ASP.NET web form in a custom web app for displaying RDL reports. The RDL reports use parameters. One of the parameters is a department parameter. Users in dept A should only be allowed to use A as the value for the parameter, users in dept B should only be allowed to use B as the value for the parameter, and so on.
The department parameter value (along with all other parameter values) will be set programmatically in the code behind logic for the ASP.NET web form hosting the ReportViewer control. The server-side logic looks up the department parameter value based on the user's profile. The report is configured so that the department parameter is not visible.
Here's my question: Are there any known back doors in the ReportViewer control whereby a user could pass a "department" value as part of an HTTP request and gain access to data for which they shouldn't have access? Note that this question applies to both simple tabular reports as well as more complex drill through reports, where department may be a value passed from the main report down to the drill through report.
