I have a reporting working and I want to verify that there is no way to get around my security block. I describe what I did and want to see if I am naively relying on obfuscation for security.
I have a report that shows data for various users. There is a PersonID parameter that filters to only the rows related to that PersonID. It is designed with a drop down so that the user can select any Person in the system and it will show data for that Person. I needed to lock the report so that only administrators can select any Person; other users will only see their own data. I deploy the report and then create a linked report that has some parameters set differently. The Admin report is only available to admins and the other is made available to any user.
The first thing I did was to create an internal parameter "ReportType" with values A for Admin and U for Users. I set the default to U.
The data set for the list of users includes this in the where clause:
Where @ReportType = 'A' OR UserName = @UserID
I then map the @UserID query parameter to the UserID global object.
I deployed the report (call that the User Report). Then I created a linked report (the Admin Report). In that linked Admin report, I set the default for ReportType to A (admin). I set the permissions so that any user had access to the main User report and only admins had access to the linked Admin report.
I then tried taking a couple URLs that access the User Report and edited the URLs to try to change the user parameter that limits the rows shown to a different user, a user other than myself. It failed as I had hoped. I tried changing the ReportType in the URL and I got a security error (as hoped).
My question. What ways could test whether I have blocked non-admin users from seeing other users data?
Russel Loski, MCSE Data Platform/Business Intelligence Twitter: @sqlmovers; blog: www.sqlmovers.com