Data Access Security
- 3 minutes to read
This document describes how to avoid possible security risks when accessing data in reporting applications.
Default data access behavior of the End-User Report Designer is intended to provide a high level of database security.
We strongly recommend that you utilize the default behavior if your reporting application can be accessed by untrusted parties.
We also recommend that you use the access control functionality of your database management system to achieve the highest level of database security.
Data Connection Security
Data source connection parameters are encrypted before they are passed to the client.
When the SQL Data Source wizard obtains connection strings from the Web.config file, the serialized report contains only the connection name (and not the connection string itself).
You can register a custom connection string provider and store all the connection parameters or only the connection name with the serilaized data source. When the report serialized with connection parameters is passed to the client, these parameters are encrypted by applying the MachineKey algorithm. To provide a custom encryption mechanism, use the ISecureDataConverter interface.
Refer to the following topics for more information on data connection registration:
- ASP.NET Web Forms - Register Data Connections
- ASP.NET MVC - Register Data Connections
- ASP.NET Core - Register Data Connections
Disable Custom SQL Queries
Default security settings do not allow direct SQL query text editing. Enable SQL editing at your own risk using the approach described in the following document: Custom SQL Query in Report Designer
Custom SQL queries are validated before their execution. Although the default validation mechanism only allows custom queries with SELECT statements (except for SELECT INTO clauses), it is not safe as it does not prevent execution of potentially harmful requests. You should implement secure SQL validation before you allow custom SQL queries.
Utilize the access control functionality of your database management system for the highest level of database security.
If custom SQL queries is enabled, you can edit SQL statements on the following SQL Data Source Wizard pages:
- Create a Query or Select a Stored Procedure (when adding a new data source)
- Create a Query or Select a Stored Procedure (when editing an existing data source)
Restrict Access to Unauthorized Assemblies
Loading custom assemblies that can be referenced by Entity Framework data sources (DashboardEFDataSource) is not allowed.
To permit loading a specific assembly, handle the EFDataSource.BeforeLoadCustomAssembly event (or static EFDataSource.BeforeLoadCustomAssemblyGlobal event) and specify the following properties of the BeforeLoadCustomAssemblyEventArgs object:
Specifies whether loading a custom assembly is allowed.
Specifies a path to a custom assembly.
Specifies the type to load from a custom assembly.
An unauthorized attempt to load a custom assembly raises the CustomAssemblyLoadingProhibitedException exception.