URGENT: Unmanaged CE10 report ignoring NT security

[JennL]

I am running CE10 on a Windows 2000 server with IIS5. We are using unmanaged CE reporting.

Through active directory I denied 2 groups (channel & supplier) access to a folder on the server and granted access to internal secure groups (acctg & purch). No one is a member in more than 1 of the groups. Anonymous access is turned off for the folder via MMC.

A CR10 report in that folder prompts for the windows login (user name and password). If I log in as a channel or supplier user I am still able to view the report - - even though permission is DENIED.

I created a text file in the same directory and security is being handled properly on that - if I log in as a channel I'm denied, as acctg I can see it.

The only other security on the folder is Administrators & System. None of the members of channel, supplier, acctg & purch groups are a member of administrators or system.

Anyone else run into this? Suggestions?

Jenn

 

[MJRBIM]

Need more detail....

01.) What do you mean by "unmanaged CE reporting"?

02.) Are you running CE10 STANDARD, PROFESSIONAL, OR PREMIUM?

03.) Are you report objects and instances being held/secured within the CE10 input and output repositories, or are you delivering them to an UNMANAGED DISK or FTP site?

04.) How are your clients accessing these RPTs - through WebDesktop/ePortfolio, through an in-house designed interface to CE, directing from an UNMANAGED DISK or FTP site?

 

[JennL]

Sorry for the sketchy details - guess I'm too close to the problem...

The web server has CE10 Professional and CR10 developer that came with CE10 installed. All patches and updates up through 1/24 have been applied.

The users are clicking a hyperlink on an ASP page, the rpt does not require any database login or parameters so its a straight hyperlink.

The rpt is saved in the intranet folders (meaning unmanaged disk?) on the date drive on web server, not in the CE repository (CE is installed on the c: drive on the webserver).

The folder on the d: drive that these reports are in is secured through NT folder permissions.

 

[MJRBIM]

If you have spent the money on CE10 Professional - which includes WinAD security for the CE10 input and output repositories, why are you managing everything on unmanaged disk external to that security model?

The cleanest suggestion would be to enforce WinAD security in CE10 - and have your users connect via the out-of-the-box WebDesktop/ePortfolio interface that CE provides.

Please let me know if this makes sense in your business-process.

 

[JennL]

We have a 3rd party portal (rePORTAL) in use for the extranet. CE10 was purchased to keep us legal for licensing.

There are several reasons for us not to use ePortfolio:
1. Most of the content is not RPTs (ASP, PDF, HTML). CE10 consumes a concurrent license for viewing any item in ePortfolio.
2. ePortfolio as it is out of the box does not support dynamic parameters based on log in. BO support came to our site and setup an access database containing parameters (vendor # for supplier, customer # for channel) and had us join that into a business view for RPTs - but that combination wouldn't work for the ASP pages. rePORTAL does and with a simple user interface and SQL.
3. The powers that be prefer the existing portal interface.

 

[MJRBIM]

Sorry, I can't really help...I don't know anything about rePORTAL and CE-external file security - have you bounced this issue off their tech support at the rePORTAL vendor?

 

[JennL]

I haven't asked rePORTAL since this specific report is external to their application, but you are right in suggesting I try them - - they have to understand the security issues to get their product to work properly. Thanks!

 

[Turkbear]

Hi,
Just one thing you may want to check:
I believe that, even with an unmanaged report the Crystal Pageserver is the actual 'runner' of the report, so check the account under which those services are running..That is the account that is accessing the *.rpt files and whose permissions are used.



PS: you can probably recode the Portal to call Crystal Reports published through the CE system, or code custom pages for the user interface..EPortfolio is not needed.