Solved

Preventing users from viewing reports.

Posted on 2004-08-24
10
279 Views
Last Modified: 2013-12-16
Can I prevent users from viewing other reports...

ie, user can look at the url and see 23 as the reportid, they can then change the id to 21 and run a different report.

any help would be appreciated...

cr8.5
db=Oracle 8i
weblanguage= coldfusion
0
Comment
Question by:astro26
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +2
10 Comments
 
LVL 42

Expert Comment

by:frodoman
ID: 11884447
If you're using unmanaged reports, then no you cannot prevent them from running other reports.  There are however some steps you can take such as using different db logins for different classes of users (so even if they change the URL they won't be able to login to the db).  You can also only open an URL report in a popup window with the location bar hidden so the URL isn't readily visible.

These and similar steps can stop the casual user from simply changing the number to see what they can get in to.  There's no really secure way to deal with this issue though except to use managed reports with security controls.

HTH

frodoman
0
 
LVL 101

Expert Comment

by:mlmcc
ID: 11884495
Agree with frodoman.

mlmcc
0
 
LVL 13

Expert Comment

by:EwaldL
ID: 11887694
if you have an id, then the reports must be published in crystal enterprise. it might be enough to disable the gues account. this means every user has to log on with user name and password. you can then use crystal enterprise to give different users different (or none) access rights on a report level. The Crystal Management Console should allow you to change all these settings.
0
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

 
LVL 10

Expert Comment

by:ebolek
ID: 11887891
Ewaldl

What if he doesnt have the crystal enterprise, and also the management console comes with that. How will he do it.

Regards
Emre
0
 
LVL 13

Expert Comment

by:EwaldL
ID: 11889648
he could write his own security mechanism where people have to log on and based on the logon only specific reports will be made available. saying that, i sounds like he has crystal enterprise and the management console as currently reports are called by their id through url. i guess that is the id assigned by ce to each report.
0
 

Author Comment

by:astro26
ID: 11903407
I have crystal enterprise.
currently we have a custom routine which logs in the user and gets the aps token...

the user can then change the reportid, and view any report if he/she knows the id, because the token is still valid.  we use the same routine for creating the token for every report.  in the routine we validate the user to view that report.

interestingly enough the token allows the user to view any other report if they know the id (if the report requires parameters, then the parameters are asked and the report is generated.

we use the html frame version for viewing reports.
0
 
LVL 10

Expert Comment

by:ebolek
ID: 11903427
thanks ewaldl. We dont have it so my information about it is limited.

Regards
Emre
0
 

Author Comment

by:astro26
ID: 11903449
all reports connect to crystal using the same username and password.  


It seems to me that this is very unsecure, I can think of other ways to secure it, but would like a way which you experts feel is best...

request.
1) user need not login to the report, only the app
2) user only be able to view the report for the app
3) user cannot "highjack" the token and access other reports.
4) solution must be managable.
0
 

Author Comment

by:astro26
ID: 11903493
I would think that

1) create seperate user names/groups in enterprise for viewing reports.. have the custom routine call the correct username/password for the given report area.
2) only give developers to be members of the everyone group... currently superuser a member of everyone  and all reports use that username and it's password

0
 
LVL 42

Accepted Solution

by:
frodoman earned 50 total points
ID: 11903577
astro,

Certainly the best solution is to limit access on CE.  We have around 3 dozen user groups and allow access to reports based on group membership.  That way even if a user starts randomly entering id numbers, they will only be able to see reports for which they are allowed access anyway.

frodoman
0

Featured Post

Don't Cry: How Liquid Web is Ensuring Security

WannaCry is just the start. Read how Liquid Web is protecting itself and its customers against new threats.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When deciding to adopt any help desk solutions many factors should be explored before taking decisions. This will change from business to another but in general there are some kind of rule of thumb. Here are some quick tips: Do we need only ticket…
Turn A Profile Picture Into A Cartoon Using Photoshop And Illustrator This tutorial will teach you how to make a cartoon style image out of a regular picture. I have tried to keep the tutorial as simple as possible. I used Adobe CS4 for this tuto…
The purpose of this video is to demonstrate how to connect a WordPress website to Google Analytics. This will be demonstrated using a Windows 8 PC Go to your WordPress login page. This will look like the following: mywebsite.com/wp-login.php :…
The purpose of this video is to demonstrate how to set up an RSS Feed on a WordPress Website. This will be demonstrated using a Windows 8 PC. Feedburner will be used for this demonstration. Go to your WordPress login page. This will look like the…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question