« Code Camp '06 | Main | Road to Code Camp South Florida Part 1 »

January 03, 2006

SQL Server Reporting Services Security

If you haven't tried out SQL Server Reporting Services you really should give it a look. It features a better than average report designer. You have shared data sources, a Query designer, drag and drop fields and sub-reports. Virtually every property of every object in the report can be configured by parametrized expressions. Report are easy to create, easy to deploy and easy to export to various formats. Best of all if you are SQL Server 2000 license owner the add-on is free. If you are running SQL Server 2005 its baked in.

By default SSRS (SQL Server Reporting Services) runs under windows domain authentication. This works great on the intranet but what happens when you want to use reporting over the Internet. It can be done but its going to be a bumpy ride.

SSRS has an extensible security architecture. You have to extend the existing security model to use Forms authentication. Authentications are handled through your database or a custom database supplied with the sample. Once you get through this the real trick is to seamlessly authenticate users who are using you application to display reports without having to ask them to supply their credentials again.  It be done but it took a weekend and three developers to get it working. Think twice before heading down this path.

02:07 PM | Permalink


Ah yes, what a fun weekend we had :-)

Posted by: John Papa | Jan 14, 2006 8:57:09 PM

Hi, I read your article and I was wondering if you could point me in the right direction to implement security with forms authentication. I've tried the example Microsoft provides, but am encountering some issues. Any help would be appreciated. Thanks.

Posted by: Oliver | Mar 6, 2007 10:41:02 AM

Hi I am using SRS 2000. Can you guide me as to how I can hide or block the URL header when user's run report.

When I login to SRS and try to run reports, I have noticed that the URL can be copied and paste into a new web browser and can be manupilated. I would like to hide the URL.


Posted by: Amrit Giani | Aug 14, 2007 11:50:55 AM

Hi all,

Is there any solution to handling the security(user credentials) in report model itself ?
so that
depending on the user info the connection string in the model has to change and only the user related db's should be connected to the model

Posted by: chaitanya | Mar 25, 2011 6:40:17 AM

The comments to this entry are closed.