Tải bản đầy đủ - 0 (trang)
Chapter 18. Securing Report Server Items

Chapter 18. Securing Report Server Items

Tải bản đầy đủ - 0trang

ReportingServicesSecurityModel

Role-basedauthorizationisnotanewconcept.Itisaproven

mechanismthatisimplementedinavarietyofways.Oneofthe

mostcommon,everydayitemsthatusesrole-based

authorizationisthefilesystem.IfyourPC'sfilesystemisbased

onNTFS,youhavetheabilitytoplaceaccesscontrollists

(ACLs)oncertainfolders.ACLsspecifyusersorgroupsofusers

(genericallycalledprincipals),permissionstoread,write,or

executeitemswithinafolder,orthefolderitself.Ifafolderdoes

nothaveACLsplacedonit,thefolderthensimplyinheritsits

permissionsfromtheparentfolder.Theadministratorofthe

computercan,ofcourse,changeaccesstocertainfolders,but

isnotallowedtoplacehimselfintheaccesspool.

Drawingfromthefilesystem'sparadigm,theSSRSsecurity

modelsitverysimilarly.WithinSSRS,thereareafixednumber

ofpredefinedroles,whichcanbeassignedtousers.Theseroles

areusedtogivepermissionstoexecutecertaintasksonfolders

orotherreportitems.Examplesofsomeofthebuilt-inroles

includeBrowser,ContentManager,andSystemAdministrator.

WhenSSRSinstalls,itsetsupthelocaladministratorpoolwith

theSystemAdministratorandContentManagerroles.

Thisistheabsoluteminimumsecuritythatcanbeapplied.

SSRSrequiresthatatleastoneprincipal,avaliduserorgroup,

beassignedtotheSystemAdministratorrole,andlikewiseto

theContentManagerrole.ThisensuresthattheReportServer

cannotbelockedoutfromtheoutside.

Therearenousersadded.UserscannotinteractwiththeReport

ServeruntilsomeoneinthelocalAdministratorsgroupassigns

themtoeitheroneofthepredefinedroles,oracustomrole.

Whenthetimecomestostartaddingusers,administrators



havethechoicetoadduserstoacertainrole,ortomanyroles.

Userscanevenhavedifferentpermissionsondifferentreport

items.Forexample,ausermightbeaContentManager,which

allowstheusertopublishreports,inonefolder,yetonlybea

Browser(readonly)inanotherfolder.

Asmentionedinthechapterintroduction,SSRSusesWindows

authenticationbydefault.Thelistofvalidusersandgroups

restsinthehandoftheauthenticationservices.Whenauseror

group(referredtoasaprincipalfromthispointforward)is

addedtoarole,theprincipalisvalidatedagainstthe

authenticatingauthority.

OnaReportServer,authenticationthroughtheWindows

securityextension(defaultmethod)isperformedbyIIS.The

userandgroupaccountsthatyouspecifyinroleassignments

arecreatedandmanagedthroughActiveDirectory.

Ifacustomersecurityextensionisused,itisuptothe

extensiontovalidatetheprincipal.







WhatCanBeSecured?

Althoughitmightnotbethemostefficientapproach,thereality

isthatjustabouteveryreportitemcanbesecuredindividually.

Somethingsthatdon'tfollowthisrulearesubscriptionsand

schedulesbecausetheyareusedinconjunctionwithareport

andnotasanindependentpartofit.Table18.1describeshow

reportitemsandtheirsecuritywork.

Table18.1.ReportItemsandEffectsofSecurity

ReportItem



HowSecurityApplies



Folder



Securingafolderusuallyendsupsecuringallthe

itemswithinthatfolder.WhenSSRSisinstalled,

onlylocaladministratorsareContentManagers

ontherootfolder.Thisensuresthatnousercan

browsethecatalog,unlessgivenexplicitrights

todoso.TheexceptiontothisistheMyReports

folder.MyReports,ifit'senabled,createsa

pseudofolderwithinthecataloginwhichusers

aregivenpermissionstopublishtheirown

reports.



Report



Reportsandlinkedreportscanbesecuredto

controllevelsofaccess.Forexample,theView

Reportstaskallowsuserstoviewareportas

wellasreporthistory,whereasManageReports

allowsthemtochangereportproperties.Manage

ReportHistoryallowsuserstogenerate

snapshots.



Model



Primarilyusedtosecureaccesstothemodel,it

canalsobeusedtosecurereportsforwhichthe

modelactsasadatasource.Modelscanalsobe

securedinternallybysecuringmodelitemswith

perspectives,specifyingroleassignmentsonall

orpartofamodel,andsecuringitemssuchas

therootnode,folders,entities,andrelationships

withinthemodel.



Resources



ResourcesareitemsintheReportServerthat

providecontenttouser.Anexampleofa

resourcecanbeanHTMLfileorWorddocument.



Securingaresourcelimitsaccesstotheresource

anditsproperties.TheViewResources

permissionsareneededtoaccesstheresources.

Shareddatasources Securingshareddatasourceslimitsaccessto

thedatasourceanditscorrespondingproperties.

Toviewthedatasourceproperties,usersneed

theViewDataSourcespermission;likewise

ManageDataSourcesgivespermissionsto

modifythem







HowRoleAssignmentsWork

Tocontinuewiththefilesystemanalogy,onehastoaskwhat

areweactuallyputtinglimitson?Theansweriswhocanread,

write,andexecuteonobjectswithinthefilesystem.Acursory

glanceatTable18.1givesasimilarperspective.Bysecuringa

reportitem,youareactuallyputtinglimitsonwhatactionscan

betakenusingthatitem.TheactionsarecalledtasksinSSRS.

SSRScomeswith25differenttasks.Taskscannotbeaddedto

ortakenawayfrom.Table18.1hasalreadymentionedthe

namesofafewtasks,suchasViewReportsandManage

Reports.

Tasksthemselvesactuallyencompassasetofunderlying

permissions.Forexample,theManageFolderstaskactually

givestheendusertheabilitytocreate,delete,update,and

modifyafolderanditsproperties.IfauservisitstheReport

ManagerwithoutthepermissionstoManageFolders,noneof

thebuttonsorUIelementswillbeenabled.

Theunderlyingpermissionsarenicetoknowabout,butnot

verypractical,astaskisthelowestlevelofassignment.Toget

assignedpermissionstocompleteanoperation,thepermissions

havetobeimplementedintoatask.Thetaskortaskshaveto

thenbeplacedinaroletobeperformed.Hence,iftheView

Modelstaskisnotincludedinarole,ortheroleisnotincluded

inaroleassignment,userscannotviewreportmodels.

Tasksthemselvescomeintwodifferentcategories,asfollows:

Item-leveltasksTasksthatactonanitemintheReport

Servercatalog,suchasfolders,models,reports,and

resources



System-leveltasksTasksthatcanbeperformedon

objectsthatarenotinthecatalogbutareglobalinscope,

suchassitesettingsandsharedschedules

Asyoumighthavealreadyguessed,theroleisthecentraltenet

ofrole-basedsecurity.Rolesarecollectionsoftasks.SSRS

comeswithafewpredefinedroles,butadministratorscanalso

createrolestosuittheirneeds.Asinglerolecanonlycontain

oneofthetwotasktypes,thatis,eitheritem-leveltasksor

system-leveltasks.Becauseofthis,thereareitem-levelroles

andsystem-levelroles.Aroleisonlyactivewhenitisassigned

toauser.

Whenausertriestoperformanaction,theReportServer

checkswhatpermissionsarerequiredtoperformthataction.

Therequiredpermissionsareexpressedintherolesrequiredfor

access.Itthencheckstomakesurethattheuserrequesting

theactionhassufficientprivilegestoperformthataction.Again,

theeasiestwayistocheckiftheuseriseitheramemberofthe

specifiedrole,oriftherolescontaintherequiredtasksand,

hence,permissions.







RelationshipsBetweenRoles,Tasks,andUsers

Therelationshipbetweenitemsthatneedtobesecured,roles,

andusersiscalledapolicy.Thepolicyiswhatisresponsiblefor

mappingouttheminimumsetofpermissionsrequiredfor

securingareportitem.Anindividualpolicyisamappingof

usersorgroups(principals)witharequiredroleneededfor

access.Eachiteminthecatalogcanhavemultiplepolicies

defined;however,nosingleitemcanhavetwopoliciesthat

applytothesameprincipal.

Forexample,supposeyouhaveausernamedGeorgeandyou

needtograntGeorgeaccesstoviewreportsintheAdventure

Worksfolder.Todoso,youspecifiedthatGeorgecanhavethe

Browserrole.Afterdoingthis,youcreatedapolicy.Thepolicy

canbemodifiedbygrantingmorerolestoGeorge,hence

increasingGeorge'spermissionsto,forexample,Content

Manager;however,youcannotcreateasecondpolicywith

George.Whatyoucandoiscreateagroup,forexample

"AdventureWorksContentManagers,"andplaceGeorgeinthat

group.YoucanthengivethegrouptheroleofContent

Manager.

So,intheend,whatareGeorge'spermissions?Well,because

rolesarereallynothingmorethenacollectionoftasks,George

canperformallthetasksthatContentManagersandBrowsers

canperform.Thisiswhythepoliciesarecalledadditive.

Bythispoint,youareprobablythinkingthatsecurityisalotof

trouble.Ifeveryitemcanhaveapolicy,andpolicesare

additive,grantingpermissionscanquicklygetoutofhand.The

thingtorememberhereisthatjustbecauseyoucando

somethingdoesn'tmeanthatyoushould.

Whenyouapplyapolicytoafolder,orsomeotheritems,you

are,bydefault,applyingthesamepolicytochildrenofthat



folder/item.Thismakesiteasytochangeandapplypolicies.

Therecommendedbestpracticeistosecurefolderswithinthe

ReportServercatalog.Bysecuringthefolder,administrators

aresecuringeverythingwithinthatfolder.Thisisthesame

modelusedinNTFS.Everychilditemofafolderautomatically

inheritstheparentfolder'spermissions.Wheneveranitem's

permissionsneedtochange,justbreaktheinheritanceand

SSRSstartsanewpolicywiththatitem.







OverviewofBuilt-InRoles

Formostorganizations,thebuilt-inrolesshouldsuffice.Ifthey

donot,keepinmindthattheReportServeradministratorscan

createcustomroledefinitions.Ifyouneedtocreateacustom

roledefinition,itmightbehelpfultostagethatroledefinitionin

adevelopmentenvironment.

Tables18.2and18.3describethepredefinedrolesandtheir

correspondingtasks.Keepinmindthatwhenataskiscalled

"Manage..."thatitimpliestheabilitytocreate,modify,and

delete.

Table18.2.Item-LevelRoles

RoleName



Description



Browser



Allowsuserstobrowsethroughthefolder

hierarchy,viewreportproperties,viewresources

andtheirproperties,viewmodelsandusethem

asadatasource,and,finally,executereports,

butnotmanagereports.Itisimportanttonote

thatthisrolegivesReportViewertheabilityto

subscribetoreportsusingtheirown

subscriptions.



ContentManager



Allowsuserstomanagefolders,models,data

sources,reporthistory,andresourcesregardless

ofwhoownsthem.Thisrolealsoallowsusersto

executereports,createfolderitems,viewand

setpropertiesofitems,andsetsecurityfor

reportitems.



ReportBuilder



MyReports



Allowsuserstobuildandeditreportsusing

ReportBuilderandmanageindividual

subscriptions.

Allowsuserstobuildreportsandstorethe

reportsintheirownpersonalfolder.Theycan

alsochangethepermissionsoftheirownMy

Reportsfolder.



Publisher



AllowsuserstopublishcontenttotheReport

Server,butnottoviewit.Thisroleishelpfulfor

peoplewhoareallowedtodevelopreports

againstadevelopmentortestdatasource,but

arenotallowedtoviewreportsagainstthe

productiondatasource.



Table18.3.TasksAssignedtoItem-LevelRoles





Consumereports

Createdlinked

reports

Manageall

subscriptions

Managedata

sources

Managefolders



Browser







Managemodels

Managereport

history

Managereports

Manageresources

Setsecurityfor

individualitems



X







X











X





















X







Manageindividual

subscriptions



Content My

Report

Publisher

Manager Reports

Builder







X







X

X











X



X



X



X



X



X



X



X



X











X







X



X



X



X



X



X

















X















X



X















Viewdatasources







X



X



X



Viewfolder



X



X



Viewmodels



X



X



Viewreports



X



X



X



Viewrecources



X



X



X

























X

X

X

X



Therearetwobuilt-in,system-levelroles.Theserolesfollowthe

samepatternastheitem-levelrolesinthatoneroleallowsview

accesstosystemssettings,andtheotherallowsthemtobe

modified.Keepinmindthatyoucanalsocreatenewsystemlevelroles.Tables18.4and18.5breakdownthesystem-level

rolesandtasks.

Table18.4.System-LevelRoles

RoleName



RoleDescription



System

Administrator



Allowsmemberstocreateandassignroles,set

systemwidesettings(ReportServerproperties

andReportServersecurity),shareschedules,

andmanagejobs



SystemUser



Allowsmemberstoviewsystempropertiesand

sharedschedules



Table18.5.TasksAssignedtoSystem-LevelRoles







System

Administrator



SystemUser



Tài liệu bạn tìm kiếm đã sẵn sàng tải về

Chapter 18. Securing Report Server Items

Tải bản đầy đủ ngay(0 tr)

×