Chat now with support
Chat con el soporte

Quest Knowledge Portal 2.11 - Install Guide

Using Integrated Windows Authentication

If you want to use Integrated Windows authentication, make sure it uses Kerberos authentication protocol, and take the following steps to make such authentication work properly:

  1. In the Active Directory Users and Computers MMC snap-in, select the user account under which the product database will be accessed.
  2. Select Properties and click the Account tab.
  3. Make sure the Account is sensitive and cannot be delegated option is cleared.
  4. Select Account is trusted for delegation.
  5. Select the computer where the SSRS and Knowledge Portal are installed.
  6. Select Properties and click the General tab.
  7. Select Trust computer for delegation.

Access to Reports and Folders

Report security settings allow you to provide report users with access rights to the particular reports or folders they need.

Note: Security settings are inherited from the report folder, so you may want to proceed with the report folder rather than with individual reports.

There is a special role named "QKP—Traverse Folders" that allows users to view child folders or reports using their full path in the folder hierarchy, but prevents these users from viewing parent folders contents.

To apply security settings (i.e., configure access rights) for multiple reports, the Property Manager Wizard can be used. To apply security settings to a single report, use the Change Security Settings command from Manage Report menu and make the necessary changes with Report Manager.

Note: Custom roles (like 'QKP - Traverse Folders') can be created and automatically included into roles list in Report Manager only in SSRS 2005. To work with custom roles in SSRS 2008, follow the instructions provided in the How to: Create, Delete, or Modify a Role (Management Studio) MSDN article.

To specify security settings for multiple reports

  1. Start the wizard by clicking on the Property Manager Wizard tab in the toolbar.
  2. On the Select Property Application Mode step, select the Apply specific values option.
  3. Select the reports or folders you want.

Note: For the certain reports or folders to be displayed properly, you may need to assign the QKP—Traverse Folders role (or the one with not less privileges for viewing the reports) to user who is to get access to these reports or folders in the reports tree. Remember that this predefined role is displayed in SSRS 2005 Report Manager only.

  1. On the Select Properties to Apply step, select Security properties.
  2. On the Specify Security Properties step, specify accounts and roles for them to grant the users access to the reports or folders they need:
    1. Click Add to add an account to the list. On the Select User or Group dialog, enter the first letters of the account name to look for, and click Search.
    2. In the list of accounts found, select the account you need, and click OK.
    3. Select the account you need, and from the list of SSRS roles, select the role or roles to be assigned to this account.

Note: To exclude an account from role assignment, select it in the list, and click Remove.

If you select to Replace previously assigned roles, then security settings being configured will take precedence over the ones you might have set for selected reports and user accounts with Reporting Services (as described below).

  1. Finish the wizard.

To specify security settings for a single report

  1. Select the required report or folder in the Knowledge Portal, and select Change Security Settings from the Manage Report menu. You are taken to Reporting Services Report Manager.
  2. Click Edit Item Security to specify roles for the user accounts as needed.
  3. When finished, click Back to return to Knowledge Portal.

Example

We assume that InTrust Audit data source is associated with the the ITAudit_DB database on the SQL Server named SQLSRV. To provide a sample user account Alex from the IT domain with access to the ‘Group Membership Management’ report, you need to check the following:

  1. Within SSRS, this user (or the group this user belongs to) has the Browser role for the report and its parent folders (up to the root folder).
  2. The account specified in the InTrust Audit data source properties for the ‘Group Membership Management’ report was granted access to the ITAudit_DB database on SQLSRV server.

This can be achieved by taking the steps described below.

To provide an account with access rights required for report generation

  1. In Knowledge Portal, click the Reports tab in the left pane and navigate to the 'Group Membership Management' report.
  2. Select the Change Security Settings command from the Manage Report menu options.
  3. On the Properties tab in Report Manager, click Edit Item Security to assign the IT\Alex account the Browser role to currently selected report. Refer to Report Manager Help if necessary.
  4. When finished, click Back to return to Knowledge Portal.
  5. In Knowledge Portal, click the Data Sources tab.
  6. Select the InTrust Audit data, and click Modify Data Source from the Manage Data Source menu options.
  7. On the Select Authentication Mode step of the wizard, select the Windows Integrated authentication option.
  8. Finish the wizard.

Note: Remember to assign sufficient access rights to the user account that will access the ITAudit_DB database.

To test access rights, you can connect to the Knowledge Portal under the sample IT\Alex account, click the Reports tab, select the 'Group Membership Management' report and click View Report option. The report should be generated and displayed in the right pane.

Role-Based Security

SQL Server Security Model

The SQL Server security model involves security policy and authentication, roles, permissions, and passwords. In particular, fixed database roles allow the database administrator to assign certain groupings of database administrative permissions. Instead of giving a user full database owner functionality, fixed database roles allow the DBA to assign only the database-level permissions to be granted to the user.

For example, if the DBA wants to give a particular user the ability to create objects in the database, the DBA could just add that database user account to the db_ddladmin fixed database role.

Role Description
db_owner

Performs all maintenance and configuration activities in the database.

db_accessadmin

Adds or removes access for Windows users, groups, and SQL Server logins.

db_datareader Reads all data from all user tables.
db_datawriter

Adds, deletes, or changes data in all user tables.

db_ddladmin Runs any Data Definition Language (DDL) command in a database.
db_securityadmin

Modifies role membership and manages permissions.

db_backupoperator

Backs up the database.

db_denydatareader Cannot read any data in user tables within a database.
db_denydatawriter

Cannot add, modify, or delete data in any user tables or views.

SQL Server roles for the accounts used to work with reports are a part of system requirements; they are provided by your database administrator.

Documentos relacionados