[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

Preventing users from viewing reports.

Posted on 2004-08-24
10
Medium Priority
?
284 Views
Last Modified: 2013-12-16
Can I prevent users from viewing other reports...

ie, user can look at the url and see 23 as the reportid, they can then change the id to 21 and run a different report.

any help would be appreciated...

cr8.5
db=Oracle 8i
weblanguage= coldfusion
0
Comment
Question by:astro26
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +2
10 Comments
 
LVL 42

Expert Comment

by:frodoman
ID: 11884447
If you're using unmanaged reports, then no you cannot prevent them from running other reports.  There are however some steps you can take such as using different db logins for different classes of users (so even if they change the URL they won't be able to login to the db).  You can also only open an URL report in a popup window with the location bar hidden so the URL isn't readily visible.

These and similar steps can stop the casual user from simply changing the number to see what they can get in to.  There's no really secure way to deal with this issue though except to use managed reports with security controls.

HTH

frodoman
0
 
LVL 101

Expert Comment

by:mlmcc
ID: 11884495
Agree with frodoman.

mlmcc
0
 
LVL 13

Expert Comment

by:EwaldL
ID: 11887694
if you have an id, then the reports must be published in crystal enterprise. it might be enough to disable the gues account. this means every user has to log on with user name and password. you can then use crystal enterprise to give different users different (or none) access rights on a report level. The Crystal Management Console should allow you to change all these settings.
0
Looking for a new Web Host?

Lunarpages' assortment of hosting products and solutions ensure a perfect fit for anyone looking to get their vision or products to market. Our award winning customer support and 30-day money back guarantee show the pride we take in being the industry's premier MSP.

 
LVL 10

Expert Comment

by:ebolek
ID: 11887891
Ewaldl

What if he doesnt have the crystal enterprise, and also the management console comes with that. How will he do it.

Regards
Emre
0
 
LVL 13

Expert Comment

by:EwaldL
ID: 11889648
he could write his own security mechanism where people have to log on and based on the logon only specific reports will be made available. saying that, i sounds like he has crystal enterprise and the management console as currently reports are called by their id through url. i guess that is the id assigned by ce to each report.
0
 

Author Comment

by:astro26
ID: 11903407
I have crystal enterprise.
currently we have a custom routine which logs in the user and gets the aps token...

the user can then change the reportid, and view any report if he/she knows the id, because the token is still valid.  we use the same routine for creating the token for every report.  in the routine we validate the user to view that report.

interestingly enough the token allows the user to view any other report if they know the id (if the report requires parameters, then the parameters are asked and the report is generated.

we use the html frame version for viewing reports.
0
 
LVL 10

Expert Comment

by:ebolek
ID: 11903427
thanks ewaldl. We dont have it so my information about it is limited.

Regards
Emre
0
 

Author Comment

by:astro26
ID: 11903449
all reports connect to crystal using the same username and password.  


It seems to me that this is very unsecure, I can think of other ways to secure it, but would like a way which you experts feel is best...

request.
1) user need not login to the report, only the app
2) user only be able to view the report for the app
3) user cannot "highjack" the token and access other reports.
4) solution must be managable.
0
 

Author Comment

by:astro26
ID: 11903493
I would think that

1) create seperate user names/groups in enterprise for viewing reports.. have the custom routine call the correct username/password for the given report area.
2) only give developers to be members of the everyone group... currently superuser a member of everyone  and all reports use that username and it's password

0
 
LVL 42

Accepted Solution

by:
frodoman earned 200 total points
ID: 11903577
astro,

Certainly the best solution is to limit access on CE.  We have around 3 dozen user groups and allow access to reports based on group membership.  That way even if a user starts randomly entering id numbers, they will only be able to see reports for which they are allowed access anyway.

frodoman
0

Featured Post

Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Originally, this post was published on Monitis Blog, you can check it here . It goes without saying that technology has transformed society and the very nature of how we live, work, and communicate in ways that would’ve been incomprehensible 5 ye…
Geo-targeting is the practice of distributing content based on a person’s location, as best as you can determine it. Let’s look at some ways you could successfully use this tactic. The following tips and case studies could lead to meaningful results.
The purpose of this video is to demonstrate how to Import and export files in WordPress. This will be demonstrated using a Windows 8 PC. Go to your WordPress login page. This will look like the following: mywebsite.com/wp-login.php : Click on Too…
The purpose of this video is to demonstrate how to set up basic WordPress SEO. This will be demonstrated using a Windows 8 PC. The plugin used will be WordPress SEO by Yoast. Go to your WordPress login page. This will look like the following: myw…
Suggested Courses

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question