cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 

Securing sensitive data through bespoke reporting

Go to solution
paul_marks
Participant

on โ€Ž07-13-2012 2:02 PM

0 Kudos

Dear forum

We are in the process of developing a module where users can upload there own crystal report and execute them.

Problem

The data is sensitive and restricted by user login and user permissions in the application. As soon as we allow users to upload there own reports this in effect is going to by pass the security aspects of the application.

Is row level security the only option?

Have other users had similar experinces and found a solution.

All ideas and thoughts are very welcome.

Thank you all in advance

Paul Marks

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

former_member183750
Active Contributor
โ€Ž07-13-2012 4:18 PM
0 Kudos

Hello Paul

The data is sensitive and restricted by user login and user permissions in the application

What is the "application"? CR? App written in .NET? Java?

I do not understand this:

 As soon as we allow users to upload there own reports this in effect is going to by pass the security aspects of the application.

If a logon is required, how would the above by pass the security?

- Ludek

Show replies
Show replies
paul_marks
Participant
โ€Ž07-16-2012 8:39 AM
0 Kudos

Ludek

Thank you for your response.

The application is in .net and has its own internal security
features to protect data.

The issue customers will be writing their own reports and
submitting them. The application utilizes a single login as a connection to the
data. There are no security layers on the database currently on the database to
secure the data at row level. The application relies on its own functionality
to administer security. The user would in effect have direct access to all of
the data using this connection. The data base currently has no security layers
imposed. All security for the application is maintained by the application.

I believe from my own research I have two options (I am looking
for a third) 1) introduce row level security or 2) purchase BOE

I hope this assists further in explaining the issue

With Kind Regards

Paul

former_member183750
Active Contributor
โ€Ž07-16-2012 3:28 PM
0 Kudos

Ok then. I moved your post to the SAP Crystal Reports, version for Visual Studio forum.

Third option may be to secure the report file. This you can do with Crystal Reports 2011 and Crystal Reports for Visual Studio 2010. Note that these files have an RPTR extension and can only be run by CR2011 and Crystal Reports for Visual Studio 2010.

See KB-1527150 - How to Export to read only Crystal Reports Format (*.rptr) format using the Crystal Rep... for more details.

- Ludek

paul_marks
Participant
โ€Ž07-16-2012 3:40 PM
0 Kudos

Ludek

Thank you for your reply

The issue is nothing to do with the protection of the report or its intelectual integrity. These will all be created by our customers and presented as custom reports.

Problem here is one custom report without any secure layer to the database could present data to a users that they do not have permission to see,

I am looking for alternative approaches to securing the data either within crystal reports or at database level

As the vendor of the appliction we have a duty of care to ensure the application is secure but we will have no control on the reports that are presented to a report custom area.

With Kind Regards

Paul

Answers (0)

Ask a Question