let me say you Develop a Report which has a parameter as User!userID.Value (Named as EmployeeID in Reports) to Filter your Data in the Reports and this is captured when user logs into Report Manager.
Case 1:
If you have this EmployeeID as Internal you cant change this Value by passing this Value in URL.
Case 2:
If you have this EmployeeID as Hidden and Deployed it..you can OverRide User!userID.Value by passing this Value in URL Like this ..
http://server/reportserver?/Sales/Northwest/Employee Sales Report&rs:Command=Render&EmployeeID=1234
Employee 1234 can pass 1235 and see his Data which will be security threat.
Hope this Clarifies your Doubt.
No comments:
Post a Comment