Security

[nat35]

Hi there,
any ideas how to secure information on report
Example:if the user drilldown to next level let say if
manager he can see wage of employee if other user group
then only name and last name
I can create two reports and give users access to report
but i want in one. the report publishes on citrix
thanx
nat

 

[rosemaryl]

Dear Nat34,

Are the user's accessing Crystal directly or through an interface. What is your db?

For example I do consulting on MagicTSD (thin-client help desk software), all users must be members of a group(s) and login with a username and a group (stored in session).

When a table is created a Group View is created for each group and is based upon the base view of the table. The group views are used to define table and field level permissions in the group views.

Reports are written against base views, but when a report is run through the app, the select of the sql is changed from the base view name to the group view - if you don't have permissions the data isn't returned. The report doesn't error - you just don't get data for that table and/or field.

This is obviously a lotta programming to implement, but the concept may work for you if you at least store the users name and position in the database. You could base the report on a stored procedure that uses the username and to find/check their position and modify the select statement based upon position.

Another solution, which would require constant maintenance, so imo is not worth the effort, is to do this with formulas using:

//Begin @ismgr
shared stringvar USR;

usr:=
Select {%User} //assumes sql expression for db return user!
case BobC : "Manager"
Case MaryY: "Not Manager"
....
Default: "Unknown"

Place this formula in the report header and then on the fields that must be suppressed from non managers, use the
shared variable as in a suppression formula on the field:

//Begin @mgrtst
shared stringvar usr;

usr <> &quot;Manager&quot;


The above was all concept, I haven't tested...but it should work.

Hope that wasn't too long-winded and actually helped,

ro Rosemary Lieberman
rosemary@microflo.com,

http://www.microflo.com

Microflo provides expert consulting on MagicTSD and Crystal Reports.

 

[nat35]

the report is based on sql 2000 sp and database
has the username do i have to pass par to sp as username
nat

 

[rosemaryl]

Nat35,

No.

I am assuming they have to login to run report. As soon as they login, the username is there, so I would just check the username.

Is the position also stored? If yes, then you are set.
Little caveat:

For people who are not managers, return in the resultset null field(s) with the same name(s) as fields that managers can see. That way you can place them on the report canvas and if they are a manager, will show, if not will be blank and you won't have problems with Crystal.
ro

Rosemary Lieberman
rosemary@microflo.com,

http://www.microflo.com

Microflo provides expert consulting on MagicTSD and Crystal Reports.

 

[chelseatech]

What I did at one site was to create a simple Security table with User and a Password and a join to a User field or Dept field in the reporting data.

Then when a report ran, the user had to enter their User ID and Password, or the record selection retrieved no records. Quite simple to set up, and the scurity ended up being inside each report.

Made web delivered reports a lot simpler. Editor and Publisher of Crystal Clear

http://www.chelseatech.co.nz/pubs.htm

 

[nat35]

thanks all for your time
Now at lease i have the ideas how i can do it
nat