Solved

Preventing users from viewing reports.

Posted on 2004-08-24
10
273 Views
Last Modified: 2013-12-16
Can I prevent users from viewing other reports...

ie, user can look at the url and see 23 as the reportid, they can then change the id to 21 and run a different report.

any help would be appreciated...

cr8.5
db=Oracle 8i
weblanguage= coldfusion
0
Comment
Question by:astro26
  • 3
  • 2
  • 2
  • +2
10 Comments
 
LVL 42

Expert Comment

by:frodoman
ID: 11884447
If you're using unmanaged reports, then no you cannot prevent them from running other reports.  There are however some steps you can take such as using different db logins for different classes of users (so even if they change the URL they won't be able to login to the db).  You can also only open an URL report in a popup window with the location bar hidden so the URL isn't readily visible.

These and similar steps can stop the casual user from simply changing the number to see what they can get in to.  There's no really secure way to deal with this issue though except to use managed reports with security controls.

HTH

frodoman
0
 
LVL 100

Expert Comment

by:mlmcc
ID: 11884495
Agree with frodoman.

mlmcc
0
 
LVL 13

Expert Comment

by:EwaldL
ID: 11887694
if you have an id, then the reports must be published in crystal enterprise. it might be enough to disable the gues account. this means every user has to log on with user name and password. you can then use crystal enterprise to give different users different (or none) access rights on a report level. The Crystal Management Console should allow you to change all these settings.
0
 
LVL 10

Expert Comment

by:ebolek
ID: 11887891
Ewaldl

What if he doesnt have the crystal enterprise, and also the management console comes with that. How will he do it.

Regards
Emre
0
 
LVL 13

Expert Comment

by:EwaldL
ID: 11889648
he could write his own security mechanism where people have to log on and based on the logon only specific reports will be made available. saying that, i sounds like he has crystal enterprise and the management console as currently reports are called by their id through url. i guess that is the id assigned by ce to each report.
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 

Author Comment

by:astro26
ID: 11903407
I have crystal enterprise.
currently we have a custom routine which logs in the user and gets the aps token...

the user can then change the reportid, and view any report if he/she knows the id, because the token is still valid.  we use the same routine for creating the token for every report.  in the routine we validate the user to view that report.

interestingly enough the token allows the user to view any other report if they know the id (if the report requires parameters, then the parameters are asked and the report is generated.

we use the html frame version for viewing reports.
0
 
LVL 10

Expert Comment

by:ebolek
ID: 11903427
thanks ewaldl. We dont have it so my information about it is limited.

Regards
Emre
0
 

Author Comment

by:astro26
ID: 11903449
all reports connect to crystal using the same username and password.  


It seems to me that this is very unsecure, I can think of other ways to secure it, but would like a way which you experts feel is best...

request.
1) user need not login to the report, only the app
2) user only be able to view the report for the app
3) user cannot "highjack" the token and access other reports.
4) solution must be managable.
0
 

Author Comment

by:astro26
ID: 11903493
I would think that

1) create seperate user names/groups in enterprise for viewing reports.. have the custom routine call the correct username/password for the given report area.
2) only give developers to be members of the everyone group... currently superuser a member of everyone  and all reports use that username and it's password

0
 
LVL 42

Accepted Solution

by:
frodoman earned 50 total points
ID: 11903577
astro,

Certainly the best solution is to limit access on CE.  We have around 3 dozen user groups and allow access to reports based on group membership.  That way even if a user starts randomly entering id numbers, they will only be able to see reports for which they are allowed access anyway.

frodoman
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Now that Expression Web 4.0 (http://www.microsoft.com/expression/products/Upgrade.aspx) is free if you buy or have the full version of Expression Web 3.0, now is the best time to  migrate from FrontPage to Expression Web (http://www.frontpage-to-exp…
Introduction In this tutorial, I'll explain how to create an animated progress meter in a wireframe prototype developed using Axure RP 7.0 - a leading prototyping tool for designing web sites and software. (For more information about Axure and gett…
The purpose of this video is to demonstrate how to connect a WordPress website to Google Analytics. This will be demonstrated using a Windows 8 PC Go to your WordPress login page. This will look like the following: mywebsite.com/wp-login.php :…
The purpose of this video is to demonstrate how to exclude a particular blog category from the main blog page. This is can be used when a category already has its own tab, or you simply want certain types of posts not to show up on the main blog. …

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now