[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 290
  • Last Modified:

Preventing users from viewing reports.

Can I prevent users from viewing other reports...

ie, user can look at the url and see 23 as the reportid, they can then change the id to 21 and run a different report.

any help would be appreciated...

cr8.5
db=Oracle 8i
weblanguage= coldfusion
0
astro26
Asked:
astro26
  • 3
  • 2
  • 2
  • +2
1 Solution
 
frodomanCommented:
If you're using unmanaged reports, then no you cannot prevent them from running other reports.  There are however some steps you can take such as using different db logins for different classes of users (so even if they change the URL they won't be able to login to the db).  You can also only open an URL report in a popup window with the location bar hidden so the URL isn't readily visible.

These and similar steps can stop the casual user from simply changing the number to see what they can get in to.  There's no really secure way to deal with this issue though except to use managed reports with security controls.

HTH

frodoman
0
 
mlmccCommented:
Agree with frodoman.

mlmcc
0
 
EwaldLCommented:
if you have an id, then the reports must be published in crystal enterprise. it might be enough to disable the gues account. this means every user has to log on with user name and password. you can then use crystal enterprise to give different users different (or none) access rights on a report level. The Crystal Management Console should allow you to change all these settings.
0
Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

 
ebolekCommented:
Ewaldl

What if he doesnt have the crystal enterprise, and also the management console comes with that. How will he do it.

Regards
Emre
0
 
EwaldLCommented:
he could write his own security mechanism where people have to log on and based on the logon only specific reports will be made available. saying that, i sounds like he has crystal enterprise and the management console as currently reports are called by their id through url. i guess that is the id assigned by ce to each report.
0
 
astro26Author Commented:
I have crystal enterprise.
currently we have a custom routine which logs in the user and gets the aps token...

the user can then change the reportid, and view any report if he/she knows the id, because the token is still valid.  we use the same routine for creating the token for every report.  in the routine we validate the user to view that report.

interestingly enough the token allows the user to view any other report if they know the id (if the report requires parameters, then the parameters are asked and the report is generated.

we use the html frame version for viewing reports.
0
 
ebolekCommented:
thanks ewaldl. We dont have it so my information about it is limited.

Regards
Emre
0
 
astro26Author Commented:
all reports connect to crystal using the same username and password.  


It seems to me that this is very unsecure, I can think of other ways to secure it, but would like a way which you experts feel is best...

request.
1) user need not login to the report, only the app
2) user only be able to view the report for the app
3) user cannot "highjack" the token and access other reports.
4) solution must be managable.
0
 
astro26Author Commented:
I would think that

1) create seperate user names/groups in enterprise for viewing reports.. have the custom routine call the correct username/password for the given report area.
2) only give developers to be members of the everyone group... currently superuser a member of everyone  and all reports use that username and it's password

0
 
frodomanCommented:
astro,

Certainly the best solution is to limit access on CE.  We have around 3 dozen user groups and allow access to reports based on group membership.  That way even if a user starts randomly entering id numbers, they will only be able to see reports for which they are allowed access anyway.

frodoman
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

  • 3
  • 2
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now