5

I have written and deployed a custom security extension for SSRS 2008r2 and it works beautifully apart from when trying to deploy reports from within BIDS 2008/Visual Studio.

The architecture for the security extension handles logins via multiple authorities and I manage this by creating a user session in LogonUser(), persisting this in a database and then loading the session in the client proxy class for the RS web service using a UID passed by cookie from the service, then rewriting the authentication ticket to contain the session UID plus user roles for the current user. These values can then be used in the custom authorization extension to manage user permissions on SSRS actions and objects.

The problem I have run into is that it does not work when deploying reports from BIDS. Its accesses the service directly and therefore the service proxy class is not required. I have tried handling the post-authentication event on the HTTP context but alas the session cookie is not persisted by the RS service so I cannot access the session values.

So what am I missing? Is there another method for controlling user roles & permissions that does not require hard coding usernames anywhere? Like I said, logins can be made using multiple authorities so managing permissions via just a username is not possible (and the thought of it makes me cringe).

One possible solution I thought of is writing an extension or plugin for BIDS that essentially acts as a proxy for the web service which would allow me more control over the login process, but I have no idea if this is possible (google is no help...)

Any help would be gratefully accepted!

Dan
  • 1,489
  • 12
  • 16

2 Answers2

2

Are you using the IAuthenticationExtension interface? The following link provides a sound example of access control if that is what you require. http://blogs.msdn.com/b/jameswu/archive/2008/07/15/anonymous-access-in-sql-rs-2008.aspx

I would imagine that the nt username can be tracked here and then lookups made against active directory groups etc. The main headache I can see here would be enabling the correct trust policy in the ssrs policy configuration.

Alex H
  • 733
  • 4
  • 8
  • Thanks for your answer but as I mentioned above I am using forms authentication with more than one authority for login credentials so tracking permissions with just a username is not possible (eg there may be different users with the same username in each authority). I am definitely not using anonymous access. – Dan Feb 26 '12 at 20:21
2

Well I gave up on finding an elegant solution so I have gone down the road of least resistance and followed what I gather is the SSRS guideline of having a 'master' account, which I will specify is to be used for report deployment and subscriptions. This account will need to be hard coded in or pulled from a settings file I'm not sure if there is any other way. Cheers.

Update: I have gone down this road and it works fine. If a user is logged in through the web front end they can deploy reports there, but if they want to deploy from the development environment (BIDS) they need to log in using the master account when it the login dialog shows. I have restricted the deploying account to only this specific use.

Dan
  • 1,489
  • 12
  • 16
  • Sounds like a viable option. Another direction is to use other tools for report deployment. We only use BIDS deployment for initial report server deployment, and that only half the time. RSS (http://stackoverflow.com/questions/3056799/automating-ssrs-report-deployment ) might have the same authentication problem, but deploying via IE isn't the worst thing in the world... – Jamie F Feb 27 '12 at 20:41
  • @JamieF thanks for your comment, yeah I had thought about deployment through the web front end, but IMO this only complicates things for the report developers. Also the same issue occurs when subscriptions run (i.e. user details can't properly be loaded) so a master account would be a two birds/one stone approach. But I'm not particularly happy about it. – Dan Feb 27 '12 at 21:23