3

My question relates more to the security of its implementation than just technical questions.

I have developed all the reports and are on Reporting Server. They are used by application using the ReportViewer Control in ASP.NET.

Given that these reports may have different DataSources, I created a parameter to the DataSource in the report and send connectionString application as parameter to the report.

So far everything is fine, however, this is where my question arises. Since I spend a ConnectionString that has a user and password for parameter, I will not have here a security flaw?

I would like an opinion from you, and if anyone has a better way to implement, tell me.

PookPook
  • 447
  • 3
  • 11
  • 26

1 Answers1

7

Maybe Expression-Based Connection Strings will help here?

The docs have a pretty clear example, i.e. a connection string similar to:

="data source=" & Parameters!ServerName.Value & ";initial catalog=AdventureWorks

These allow you to still pass a parameter to define the Data Source, but it also allows you to store credentials separately so that way you don't necessarily have to pass any security details when calling the report.

Added after comment:

Here's an example report with an Expression-based Connection String.

enter image description here

You can see the Connection String uses a parameter to determine exactly where it's connecting; this can be updated as you require.

The credentials are stored in the Data Source; you can store the credentials (see the above screenshot) or you can choose any other option that suits, e.g. Windows Integrated Security.

So it might not suit you perfectly but this is the inbuilt SSRS functionality for this sort of configurable Data Source requirement.

Second edit:

In the above example, Parameters!ServerName.Value is indeed a report parameter, you would just create it like any another. Depending on how your reports are being launched, you could make it a hidden parameter and handle the actual value sent in code; it's just a question of implementation and really up to you.

For Expression-based connection strings, the Data Source must be stored in the report, and its Connection String is determined at run time.

So you can build whatever you need, based on one or more parameters - it's just a string value you're constructing so you can make it whatever you want to suit your purpose; you can point it to whatever server/database combination required. Please clarify if this doesn't answer your question.

Ian Preston
  • 38,816
  • 8
  • 95
  • 92
  • But where i put the credentials? – PookPook Feb 11 '13 at 12:51
  • These are stored at the Data Source level; see the above edit. – Ian Preston Feb 11 '13 at 13:02
  • Ok, nice. But the "Parameters!ServerName.Value" must be declared in the report? And how do I set the datasource of the report, so come get the datasource that is on serverreport? The link between both, I cant understand. – PookPook Feb 11 '13 at 13:21
  • Yes, i understand the idea. But I'm trying to call this datasource in reportviewer but not find the datasource. And is a shared datasource, cant put parameters in a shared datasource on ssrs 2008. – PookPook Feb 11 '13 at 16:09
  • That's correct, you can't use Shared Data Sources by design, you'll need to use embedded Data Sources. I suppose this makes sense as you're using a report parameter, and in a Shared Data Source any report could use it so there is no guarantee that the required parameters will exist. So that's an implementation decision for you; move to an embedded Data Source model or continue passing credentials in the report. – Ian Preston Feb 11 '13 at 16:16
  • And pass in the parameter the userid and password? – PookPook Feb 11 '13 at 18:03
  • Another thing, I created a datasource with parameter where the sending userid and password. but it is giving me the error: Can not complete the current action. The data source credentials do not meet the user's requirements to run this report or shared dataset. These credentials are not stored in the database report server or user data source is configured not to require credentials but the unattended execution account is not specified. (rsInvalidDataSourceCredentialSetting). I will not have to put the DataSource to the Report Server? – PookPook Feb 11 '13 at 18:37
  • Sorry if the above comment wasn't clear, I meant you can continue passing the credentials in the connection string or using an embedded Data Source. I don't see any real difference between the first option and passing userid/password through parameters. – Ian Preston Feb 11 '13 at 22:34
  • Also it looks like the above error is due to a Data Source with no credentials, which requires an Unattended Execution Account. See http://msdn.microsoft.com/en-us/library/ms156302.aspx for more details. – Ian Preston Feb 11 '13 at 22:35
  • Thanks! Problem solved. Now to see if it was safe to send the userid and password parameter. But I also do not find great information about it. – PookPook Feb 12 '13 at 10:51