Solved

Preventing users from viewing reports.

Posted on 2004-08-24
10
271 Views
Last Modified: 2013-12-16
Can I prevent users from viewing other reports...

ie, user can look at the url and see 23 as the reportid, they can then change the id to 21 and run a different report.

any help would be appreciated...

cr8.5
db=Oracle 8i
weblanguage= coldfusion
0
Comment
Question by:astro26
  • 3
  • 2
  • 2
  • +2
10 Comments
 
LVL 42

Expert Comment

by:frodoman
ID: 11884447
If you're using unmanaged reports, then no you cannot prevent them from running other reports.  There are however some steps you can take such as using different db logins for different classes of users (so even if they change the URL they won't be able to login to the db).  You can also only open an URL report in a popup window with the location bar hidden so the URL isn't readily visible.

These and similar steps can stop the casual user from simply changing the number to see what they can get in to.  There's no really secure way to deal with this issue though except to use managed reports with security controls.

HTH

frodoman
0
 
LVL 100

Expert Comment

by:mlmcc
ID: 11884495
Agree with frodoman.

mlmcc
0
 
LVL 13

Expert Comment

by:EwaldL
ID: 11887694
if you have an id, then the reports must be published in crystal enterprise. it might be enough to disable the gues account. this means every user has to log on with user name and password. you can then use crystal enterprise to give different users different (or none) access rights on a report level. The Crystal Management Console should allow you to change all these settings.
0
 
LVL 10

Expert Comment

by:ebolek
ID: 11887891
Ewaldl

What if he doesnt have the crystal enterprise, and also the management console comes with that. How will he do it.

Regards
Emre
0
 
LVL 13

Expert Comment

by:EwaldL
ID: 11889648
he could write his own security mechanism where people have to log on and based on the logon only specific reports will be made available. saying that, i sounds like he has crystal enterprise and the management console as currently reports are called by their id through url. i guess that is the id assigned by ce to each report.
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 

Author Comment

by:astro26
ID: 11903407
I have crystal enterprise.
currently we have a custom routine which logs in the user and gets the aps token...

the user can then change the reportid, and view any report if he/she knows the id, because the token is still valid.  we use the same routine for creating the token for every report.  in the routine we validate the user to view that report.

interestingly enough the token allows the user to view any other report if they know the id (if the report requires parameters, then the parameters are asked and the report is generated.

we use the html frame version for viewing reports.
0
 
LVL 10

Expert Comment

by:ebolek
ID: 11903427
thanks ewaldl. We dont have it so my information about it is limited.

Regards
Emre
0
 

Author Comment

by:astro26
ID: 11903449
all reports connect to crystal using the same username and password.  


It seems to me that this is very unsecure, I can think of other ways to secure it, but would like a way which you experts feel is best...

request.
1) user need not login to the report, only the app
2) user only be able to view the report for the app
3) user cannot "highjack" the token and access other reports.
4) solution must be managable.
0
 

Author Comment

by:astro26
ID: 11903493
I would think that

1) create seperate user names/groups in enterprise for viewing reports.. have the custom routine call the correct username/password for the given report area.
2) only give developers to be members of the everyone group... currently superuser a member of everyone  and all reports use that username and it's password

0
 
LVL 42

Accepted Solution

by:
frodoman earned 50 total points
ID: 11903577
astro,

Certainly the best solution is to limit access on CE.  We have around 3 dozen user groups and allow access to reports based on group membership.  That way even if a user starts randomly entering id numbers, they will only be able to see reports for which they are allowed access anyway.

frodoman
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

In this short web based tutorial, I wanted to show users how they can still use the powers of FrontPage in conjunction with Expression Web 3.  Even though Microsoft eliminated the use of Web components, we can still use them with FrontPage and edit …
Hello everyone, Hope you find this as helpful as we did. We have on the company I work for an application built in Delphi V with Crystal Reports 8. We all know that Crystal & Delphi can be temperamental sometimes and the worst thing is, nearly…
The purpose of this video is to demonstrate how to integrate Mailchimp with WordPress, by placing a Mailchimp signup form on a WordPress Page or Post. This will be demonstrated using a Windows 8 PC. Mailchimp will be used. Log into your Mailchi…
The purpose of this video is to demonstrate how to set up basic WordPress SEO. This will be demonstrated using a Windows 8 PC. The plugin used will be WordPress SEO by Yoast. Go to your WordPress login page. This will look like the following: myw…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now