4

I have an ASP.NET site using role based security via the SQLMemberShipProvder.

Is it possible to provide internet access to SSRS reports using my existing MembershipProvider roles?

For example, if I have a role SupportPersonRole, can I allow only people in that role to use certain reports?

The docs say SQL 2008 R2 uses basic auth to the local security authority. However if SSRS can only present it's own basic auth login for SSRS content, I'm not sure how I would get a chance to authorize using the MembershipProvider roles.

The ASP.Net page needs to handle report parameter prompting so it seems this implies "remote" mode is appropriate to get this functionality.

The confusing part is SSRS (in remote mode) has it's own role security credentials, which are separate from ASP.Net role based security. So how do you avoid managing security in both places?

whitneyland
  • 10,632
  • 9
  • 60
  • 68

2 Answers2

4

If you include the report viewer control in your site, you can then limit who can see this page, and what reports they can run via your site front end.

Your connection through to the SSRS server (from web server to it), can then be secured so that only your site can access these reports.

Paddy
  • 33,309
  • 15
  • 79
  • 114
  • This is an MVC site - does the control you refer to require WinForms? – whitneyland Mar 19 '12 at 15:42
  • It does, but there are ways and means. Plenty of links about, e.g. http://stackoverflow.com/questions/4137835/viewing-ssrs-reports-in-an-asp-net-mvc-site – Paddy Mar 19 '12 at 15:51
  • Ok great that link proves the control can work in MVC as an ASPX page. But a critical part of the question still is on that ASPX page, how can a specific report be restricted to a specific MembershipProvider role? – whitneyland Mar 19 '12 at 16:17
  • In your code behind, you limit what reports can be called by what roles - you'll need to set this up, maybe have a reportforroles table in your DB, for example. – Paddy Mar 19 '12 at 16:27
  • 1
    The confusing part is SSRS (in remote mode) has it's own role security credentials, which are separate from ASP.Net role based security. So how do you avoid managing security in both places? – whitneyland Mar 19 '12 at 19:10
  • @Lee Whitney - You can't, I'm afraid, but what you are saying is that you have a single user in SSRS who can access all your reports (the context your site runs under), and then you do the limiting within your web application itself. – Paddy Mar 27 '12 at 10:48
4

You could also render a LocalReport to the output of your choice. This can be a good option if you don't need as many choices as the control offers.

// Controller Action
public ActionResult GetReport(ReportParameters foo)
{
    string mimeType;
    var stream = foo.RenderReport(out mimeType);
    return new FileStreamResult(stream, mimeType);
}

class ReportParameters {
    public Stream RenderReport(out string mimeType)
    {
        var localReport = new LocalReport();
        // ... TODO: Set up report data sources render call out variales, etc.
        byte[] renderedBytes;
        renderedytes = localReport.Render(
                reportType,
                deviceInfo,
                out mimeType,
                out encoding,
                out fileNameExtension,
                out streams,
                out warnings);
        return new MemoryStream(renderedBytes);
    }
}
Kevin Stricker
  • 17,178
  • 5
  • 45
  • 71