Last post Apr 01, 2011 04:36 AM by drhdrhdrhdrh
Mar 29, 2011 08:12 AM|drhdrhdrhdrh|LINK
I need a reliable method to switch off users' access to SSRS dynamically. If you care about the reason, users are not allowed to access SSRS from home, but they are allowed access from within the factory walls.
I can generate a token or event when they arrive at work or leave, no problem, such is the sophistication of our security system.
So I can create a little .net app that pokes SSRS in some way and tells SSRS to allow that username to access reports. When the users leaves the premises, the .net app will prod SSRS to deny that username access.
I considered dynamically adding and removing usernames from the authentication section of web.config in the SSRS root dir, as in <deny=usernamelist />. But given the frequency of changes (dozens per hour at peak times), that seems too intrusive, as it probably
causes the restart of the app.
I tried adding usernames to the ACL on the SSRS physical directory (Microsoft SQL Server\MSSQL.2\Reporting Services\ReportServer) as deny reader, and for a few brief minutes I thought I had arrived at a solution, but for some reason SSRS decided to serve
pages to denied users seemingly at random. Must be cached somewhere, although I can't for the life of me figure out why that would be happening seemingly at random.
I rather like the ACL idea from the perspective of ease of control, and if there's a simple thing i have overlooked in the way SSRS interacts with IIS and NTFS permissions, I hope someone can point it out so I can understand why the ACL seems to be mostly
So now I am seeking expert advice... anyone got any ideas?
Apr 01, 2011 04:36 AM|drhdrhdrhdrh|LINK
Having continued experimenting in the absence of any better options, it seems that if I add an ACL deny read permit to the script file Reports/Pages/Folder.aspx, then it behaves as intended without any unexpected access allowance or denial.
So my current theory is that IIS caches the file's ACL list along with the file and uses it, in contrast to what happens when using the directory ACL (largely ignored, at least by my observation)
I need to figure out what other script files I need to deny access to: to prevent production linked reports being accessible, and other features.
This is looking rather clunky: if anyone has any better ideas please post....