[英]Setting up access to SSRS report requiring login to data source
I have a report that accesses sensitive data and I'm required to have the user log in to the SSRS portal and then again into the data source to make sure the data isn't viewed by the wrong staff.我有一份访问敏感数据的报告,我需要让用户登录到 SSRS 门户,然后再次登录到数据源,以确保数据不会被错误的员工查看。
I feel like I've tried everything at this point, but no matter what I try I cannot access a data source by logging in to it from an SSRS report.我觉得此时我已经尝试了所有方法,但无论我尝试什么,我都无法通过从 SSRS 报告登录来访问数据源。 I've tried:我试过了:
All users have access through to the data when i run a select statement in SSMS, so I'm stumped.当我在 SSMS 中运行 select 语句时,所有用户都可以访问数据,所以我很难过。 I've messed around with giving explicit rights to Connect, Select, Authenticate for the Server, DB, view and still no luck.我一直在为服务器、数据库、视图提供连接、选择、身份验证的明确权限,但仍然没有运气。
Are your users in Active Directory, or are you using SQL Authentication?您的用户是在 Active Directory 中,还是在使用 SQL 身份验证? Because if your users are in AD you can do this easily.因为如果您的用户在 AD 中,您可以轻松做到这一点。 I think you need the SSRS in Native Mode not SharePoint mode too, but I'm not 100% certain about that.我认为您也需要本机模式下的 SSRS 而不是 SharePoint 模式,但我不是 100% 确定这一点。
If you do all this, here's how access works - when a users first goes to SSRS to view a report, SSRS will check to see if the user has permission to see the (empty) report.如果您执行所有这些操作,访问的工作原理如下 - 当用户第一次转到 SSRS 查看报告时,SSRS 将检查该用户是否有权查看(空)报告。 If they are in the group (or have permissions another way, so this is hard for a developer to test on their own machine) they get the empty report.如果他们在组中(或以其他方式拥有权限,因此开发人员很难在他们自己的机器上进行测试)他们会得到空报告。
SSRS then checks the data source (which has no credentials!) to see if they can use it.然后 SSRS 会检查数据源(没有凭据!)以查看他们是否可以使用它。 Again, if in the group, yes.同样,如果在组中,是的。 They still don't have data, but they can get the connection details.他们仍然没有数据,但他们可以获得连接详细信息。 If they can, SSRS will pass a token from their windows session to the database to see if they can actually get the data.如果可以,SSRS 会将令牌从其 Windows 会话传递到数据库,以查看它们是否确实可以获取数据。
If they make it this far, SQL will only let them execute the stored procedure (and get the data) if they are in that group with EXECUTE permissions on that stored procedure.如果他们做到了这一点,SQL 只会让他们执行存储过程(并获取数据),前提是他们在该组中对该存储过程具有 EXECUTE 权限。
The users don't see these logins, the browser is automatically forwarding their login tokens (not credentials), but authorization is checked at every step and is very secure.用户看不到这些登录信息,浏览器会自动转发他们的登录令牌(不是凭据),但在每一步都会检查授权并且非常安全。
A few notes: First, your SSRS server has to be in a trusted zone for this to work smoothly, if it is then the browser will pass authentication tokens to SSRS seamlessly.一些注意事项:首先,您的 SSRS 服务器必须位于受信任区域中才能顺利运行,如果是这样,浏览器将无缝地将身份验证令牌传递给 SSRS。 If not, they'll have to "log in" to SSRS every time, which gets old fast.如果没有,他们每次都必须“登录”到 SSRS,这会很快变老。 Set this with your Group Policy.使用您的组策略进行设置。
Second, some configurations may include 2-hop authentication, a problem for ordinary NTLM.其次,某些配置可能包括 2 跳身份验证,这是普通 NTLM 的问题。 You may need to set up Delegated Constraints to make this work smoothly.您可能需要设置委托约束才能使这项工作顺利进行。
I didn't do either of these myself, but we had to do both at my company.这些我自己都没有做,但我们必须在我的公司里做这两件事。 Neither was particularly painful (or at least the guy who did it didn't complain), but I couldn't tell you how to do either, and I may not be using the ideal descriptions/terms.两者都不是特别痛苦(或者至少做这件事的人没有抱怨),但我也不能告诉你怎么做,而且我可能没有使用理想的描述/术语。
Third, this scales well, if you have 3 different types of reports, you can create 3 different groups and your users can be in any combination of groups, getting access to only the data relevant to the groups they are in.第三,这可以很好地扩展,如果您有 3 种不同类型的报告,您可以创建 3 个不同的组,您的用户可以在任意组组合中,仅访问与他们所在组相关的数据。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.