The Web Dashboard can use different data source types to supply dashboards with data.
Certain data sources (such as DashboardSqlDataSource or DashboardOlapDataSource) require establishing a data connection using specific connection parameters.
You can provide end-users with the capability to create data sources bases on predefined data connections or you can add the required predefined data sources in code. Use one of the following approaches to provide connection parameters:
You can use the Web Dashboard to display existing dashboards (created for instance, in the WinForms Designer or in code). The Web Dashboard control automatically checks whether such dashboards contain data connection parameters. If so, the dashboard will not be loaded and an error message will be displayed. In this case, remove all connection parameters from the dashboard definition and keep only a connection name. Then, provide connection parameters using the approaches described above.
If necessary, you can disable the connection parameter validation using the DashboardConfigurator.PassCredentials property. This property is introduced to prevent passing confidential information to the client side. If this property is enabled, the dashboard will be displayed regardless of whether it contains user credentials. However, we do not recommend using this approach in production for security reasons.
By default, the Data Source Wizard allows only visual construction of SQL queries using the built-in Query Builder. Queries constructed using the Query Builder can only contain a SELECT statement and are guaranteed to be safe.
Manual editing of SQL queries is considered unsafe and is disabled by default in the Web Dashboard's UI. You can enable SQL editing at your own risk using the approach described in the following document: Custom SQL Queries
Custom SQL queries are validated before their execution. Although the default validation mechanism only allows custom queries containing SELECT statements (except for SELECT INTO clauses), it cannot be considered safe, as it does not prevent execution of potentially harmful requests. Before enabling this option, please make sure to apply a secure SQL validation that prevents execution of harmful requests.
It is also recommended that you utilize the access control functionality of your database management system to achieve the highest level of database security.
Restrict Access to Unauthorized Assemblies
Loading of custom assemblies that can be referenced by Entity Framework data sources (DashboardEFDataSource) is forbidden by default.
The Web Dashboard can act as the Designer or Viewer and supports the following working modes:
The Web Dashboard acts as a Dashboard Designer and allows end-users to create, edit and save dashboards. Note that in this case, you can switch to the Viewer mode on the client side.
The Web Dashboard acts as a Dashboard Viewer and allows you to display dashboards to end-users. Note that in this case, you can switch to the Designer mode on the client side.
The Web Dashboard acts as a Dashboard Viewer without the capability to switch to the Designer mode on the client side.
In this mode, the Web Dashboard does not load the extensions required for designing dashboards.
For Web Forms in standard mode (DashboardConfigurator is not used), set the working mode to the WorkingMode.ViewerOnly. In this mode, the Web Dashboard works as a pure viewer application and does not allow changing dashboards stored on a server.
All users (including unauthorized) can get access to a dashboard control handler by default. You can limit the access by adding authorization to a dashboard control handler and deny access for all unauthorized users.
When Web Dashboard performs data-related operations in client data processing mode, data from a data source can be cached. Create a custom parameter to specify a different cache for different user roles.