Reporting Services 中的授權Authorization in Reporting Services

授權這項程序可決定是否應該將要求的存取權類型授與某個識別,允許其對於報表伺服器資料庫中特定資源進行存取。Authorization is the process of determining whether an identity should be granted the requested type of access to a given resource in the report server database. Reporting ServicesReporting Services 使用以角色為基礎的授權架構,會根據應用程式的使用者角色指派,將使用者存取權授與指定的資源。Reporting ServicesReporting Services uses a role-based authorization architecture that grants a user access to a given resource based on the user's role assignment for the application. Reporting ServicesReporting Services 的安全性延伸模組包含授權元件的實作,是用以在使用者通過報表伺服器上的驗證之後,授與存取權給他們。Security extensions for Reporting ServicesReporting Services contain an implementation of an authorization component that is used to grant access to users once they are authenticated on the report server. 當使用者透過 SOAP API 與透過 URL 存取,嘗試在系統上或是報表伺服器項目執行作業時,就會叫用授權。Authorization is invoked when a user attempts to perform an operation on the system or a report server item through the SOAP API and via URL access. 這可以透過安全性延伸模組介面IAuthorizationExtension來達成。This is made possible through the security extension interface IAuthorizationExtension. 如前所述,您所部署的任何延伸模組都會自 IExtension 繼承基底介面。As stated previously, all extensions inherit from IExtension the base interface for any extension that you deploy. IExtensionIAuthorizationExtensionmicrosoft.reportingservices.interfaces.dll命名空間的成員。IExtension and IAuthorizationExtension are members of the Microsoft.ReportingServices.Interfaces namespace.

檢查存取Checking Access

在授權中,任何自訂安全性實作的關鍵在於存取檢查,這個檢查是實作在 CheckAccess 方法之中。In authorization, the key to any custom security implementation is the access check, which is implemented in the CheckAccess method. 每次使用者嘗試在報表伺服器上執行作業時,就會呼叫 CheckAccessCheckAccess is called each time a user attempts an operation on the report server. 每個作業類型都會多載 CheckAccess 方法。The CheckAccess method is overloaded for each operation type. 若是資料夾作業,存取檢查的範例可能如下所示:For folder operations, an example of an access check might look like the following:

// Overload for Folder operations  
public bool CheckAccess(  
   string userName,   
   IntPtr userToken,   
   byte[] secDesc,   
   FolderOperation requiredOperation)  
{  
   // If the user is the administrator, allow unrestricted access.  
   if (userName == m_adminUserName)   
      return true;  
  
   AceCollection acl = DeserializeAcl(secDesc);  
   foreach(AceStruct ace in acl)  
   {  
         if (userName == ace.PrincipalName)  
         {  
            foreach(FolderOperation aclOperation in   
               ace.FolderOperations)  
            {  
               if (aclOperation == requiredOperation)  
                     return true;  
            }  
         }  
   }  
   return false;  
}  

報表伺服器透過傳遞登入使用者的名稱、使用者 Token、項目的安全性描述項,以及要求的作業,來呼叫 CheckAccess 方法。The report server calls the CheckAccess method by passing in the name of the logged-on user, a user token, the security descriptor for the item, and the requested operation. 在這裡您將檢查使用者名稱的安全性描述項以及適當的權限以完成要求,然後傳回 true 以表示授與存取,或是傳回 false 來表示存取遭到拒絕。Here you would check the security descriptor for the user name and the appropriate permission to complete the request, then return true to signify that access is granted or false to signify access is denied.

安全性描述項Security Descriptors

在報表伺服器資料庫中,設定項目上的授權原則時,用戶端應用程式 (例如報表管理員) 會將使用者資訊連同項目的安全性原則一起提交到安全性延伸模組。When setting authorization policies on items in the report server database, a client application (such as Report Manager) submits the user information to the security extension along with a security policy for the item. 這個安全性原則與使用者資訊統稱為安全性描述項。This security policy and user information are known collectively as a security descriptor. 安全性描述項在報表伺服器資料庫中包含項目的下列資訊:A security descriptor contains the following information for an item in the report server database:

  • 具有某些類型的權限以執行項目上之作業的群組或是使用者。The group or user that has some type of permission to perform operations on the item.

  • 項目類型。The item's type.

  • 控制項目存取的判別存取控制清單。A discretionary access control list controlling access to the item.

使用 Web 服務 SetPoliciesSetSystemPolicies 方法來建立安全性描述項。Security descriptors are created using the Web service SetPolicies and SetSystemPolicies methods.

授權流程Authorization Flow

[!INCLUDE[ssRSnoversion](../../../includes/ssrsnoversion-md.md)] 授權是由目前設定成在伺服器上執行的安全性延伸模組來控制。[!INCLUDE[ssRSnoversion](../../../includes/ssrsnoversion-md.md)] authorization is controlled by the security extension currently configured to run on the server. 授權是以角色為基礎,並受限於 [!INCLUDE[ssRSnoversion](../../../includes/ssrsnoversion-md.md)] 安全性架構提供的權限與作業。Authorization is role-based and limited to the permissions and operations supplied by the [!INCLUDE[ssRSnoversion](../../../includes/ssrsnoversion-md.md)] security architecture. 下圖描述授權使用者的程序,以便在報表伺服器資料庫中的項目上操作:The following diagram depicts the process of authorizing users to operate on items in the report server database: ![Reporting Services 安全性授權流程](../../media/rosettasecurityextensionauthorizationflow.gif "Reporting Services 安全性授權流程")![Reporting Services security authorization flow](../../media/rosettasecurityextensionauthorizationflow.gif "Reporting Services security authorization flow") 如本圖所示,授權會遵循這個順序:As shown in this diagram, authorization follows this sequence: 1. 一旦驗證之後,用戶端應用程式會透過 Reporting Services Web 服務方法,來向報表伺服器提出要求。Once authenticated, client applications make requests to the report server through the Reporting Services Web service methods. 驗證 Ticket 會以每個 Web 要求的 HTTP 標頭中之 Cookie 形式,傳遞到報表伺服器。An authentication ticket is passed to the report server in the form of a cookie in the HTTP header of each Web request. 2. Cookie 會在進行任何存取檢查之前先驗證。The cookie is validated prior to any access check. 3. 一旦驗證 Cookie 之後,報表伺服器就會呼叫 並提供識別給使用者。Once the cookie is validated, the report server calls and the user is given an identity. 4. 使用者嘗試透過 Reporting Services Web 服務執行作業。The user attempts an operation through the Reporting Services Web service. 5. 報表伺服器會呼叫 方法。The report server calls the method. 6. 會將安全性描述項擷取和傳遞到 的自訂安全性延伸模組實作。The security descriptor is retrieved and passed to a custom security extension implementation of . 此時,會將使用者、群組或是電腦與被存取的項目之安全性描述項進行比較,並授權可執行要求的作業。At this point, the user, group, or computer is compared to the security descriptor of the item being accessed and is authorized to perform the requested operation. 7. 如果使用者已獲得授權,則 Web 服務會執行作業,並將回應傳回給呼叫的應用程式。If the user is authorized, the Web service performs the operation and returns a response to the calling application.