Skip to main content
BuyLog In
.NET Reporting Tools
Search in…
Docs > Reporting for Web > Common Features > Security > Multi-Tenant Support
All docs
V24.1
Reporting
Product Information
.NET / .NET Core Support
Get Started with DevExpress Reporting
Create Different Report Types (Walkthroughs)
Detailed Guide to DevExpress Reporting
Memory Usage in Reporting - Best Practices
Localize Reporting Applications
Security Considerations
Visual Studio Report Designer
VS Code Report Designer
Reporting for Desktop
Reporting for .NET MAUI
Reporting for Web
Common Features
Security
General Security Considerations
Authorized Access
Application Permissions
Data Access Security
Multi-Tenant Support
Custom SQL Query in Report Designer
Custom SQL Query Validation
Printing and Export
Accessibility
Integrate Document Viewer Components
Client-Side Functionality
Themes and Styles
Localization
Supported Browsers
Display Documents from the Report and Dashboard Server
Custom HTML Templates
Web Farm and Web Garden Support
Document Viewer for Web
End-User Report Designer for Web
Standalone Report Parameters Panel for Web
Web UI Development Bundles that Include Reports
Reporting for Blazor
Reporting for ASP.NET Core
Reporting for Angular
Reporting for Knockout-based Applications
Reporting for React
Reporting for Vue
Reporting for ASP.NET MVC
Reporting for ASP.NET Web Forms
Version Upgrade Guide
Troubleshooting
Cloud Integration
Cross-Platform .NET App UI
Backend Web API Service / REST API for Reporting
WCF Report Service
End-User Documentation
Redistribution and Deployment
API Reference
ASP.NET Core API Reference
Blazor API Reference
Client API Reference
Client API Reference (Web Forms & MVC)
Download CHM

Multi-Tenant Support (Row Filtering in Shared SQL Database)

  • 5 minutes to read

This topic describes how to use Web Reporting in a multi-tenant environment. The idea is to restrict access to the source data based on the user who is logged into the system.

Security Filters

Security filters are part of the multi-tenancy application architecture. They are row-level filters applied to the underlying data from the database.

In detail, a security filter is a conditional clause applied to each logical query that retrieves data from tables with the tenant ID column. The filter is used to constrain data based on the rows where the tenant ID column value matches the user ID variable obtained from the application’s user context.

DevExpress Web Reporting allows you to create and register a service that implements the DevExpress.DataAccess.Web.ISelectQueryFilterService interface. The ISelectQueryFilterService.CustomizeFilterExpression method applies a conditional clause to the query passed to the method as a parameter. The Document Viewer, Report Designer’s Preview, and Query Builder call the ISelectQueryFilterService service before the SqlDataSource executes a SELECT query.

Multi-Tenancy Implementation

This section explains how to implement security filters in an ASP.NET Core Reporting application.

View Example: Row-Level Filtering in ASP.NET Core Reporting Application with SqlDataSource (Multi-Tenant Support)

Implement Authentication

For ease of demonstration, this example uses a simulated user login (without actual verification) that allows your code to use this user’s identity.

Obtain the User ID

Create and register the UserService service that processes HttpContext and retrieves the user ID.

using System;
using System.Globalization;
using System.Linq;
using System.Security.Claims;
using Microsoft.AspNetCore.Http;

namespace QueryFilterServiceApp.Services {
    public interface IUserService {
        int GetCurrentUserId();
        string GetCurrentUserName();
    }

    public class UserService : IUserService {
        readonly IHttpContextAccessor contextAccessor;

        public UserService(IHttpContextAccessor contextAccessor) {
            this.contextAccessor = contextAccessor 
                ?? throw new ArgumentNullException(nameof(contextAccessor));
        }

        public int GetCurrentUserId() {
            var sidStr = contextAccessor.HttpContext.User.Claims
                .FirstOrDefault(x => x.Type == ClaimTypes.Sid);
            return Convert.ToInt32(sidStr.Value, CultureInfo.InvariantCulture);
        }

        public string GetCurrentUserName() {
            return contextAccessor.HttpContext.User.Claims
                .Single(x => x.Type == ClaimTypes.Name).Value;
        }
    }
}

Add Security Filter

Create and register the SelectQueryFilterService service that implements the DevExpress.DataAccess.Web.ISelectQueryFilterService interface. The service calls the UserService service to get the ID of the user who is logged into the application.

The following code determines whether the query contains the specified tables, and adds conditional clauses that retrieve data rows where the StudentID column value matches the current User ID. 

using System.Collections.Generic;
using System.Linq;
using DevExpress.Data.Filtering;
using DevExpress.DataAccess.Sql;
using DevExpress.DataAccess.Web;

namespace QueryFilterServiceApp.Services {
    public class SelectQueryFilterService : ISelectQueryFilterService {
        readonly int studentId;

        public SelectQueryFilterService(IUserService userService) {
            studentId = userService.GetCurrentUserId();
        }

        public CriteriaOperator CustomizeFilterExpression(
            SelectQuery query, CriteriaOperator filterExpression) 
        {
            List<CriteriaOperator> filters = new List<CriteriaOperator>();

            if(query.Tables.Any(x => x.ActualName == "Students")) {
                filters.Add(new BinaryOperator
                    (new OperandProperty("Students.ID"), 
                    new OperandValue(studentId), 
                    BinaryOperatorType.Equal));
            }

            if(query.Tables.Any(x => x.ActualName == "Enrollments")) {
                filters.Add(new BinaryOperator
                    (new OperandProperty("Enrollments.StudentID"), 
                    new OperandValue(studentId), 
                    BinaryOperatorType.Equal));
            }

            if(query.Tables.Any(x => x.ActualName == "Reports")) {
                filters.Add(new BinaryOperator
                    (new OperandProperty("Reports.StudentID"), 
                    new OperandValue(studentId), 
                    BinaryOperatorType.Equal));
            }

            if(!object.ReferenceEquals(filterExpression, null)) {
                filters.Add(filterExpression);
            }

            var result = filters.Any() ? new GroupOperator(GroupOperatorType.And, filters) : null;
            return result;
        }
    }
}

Note that the ISelectQueryFilterService does not allow you to modify the query passed to the CustomizeFilterExpression method. The method returns the CriteriaOperator that forms the WHERE clause for the original SELECT query.

Register Services

Register services at application startup.

In the ASP.NET Core application you can use the following code:

using DevExpress.AspNetCore;
using DevExpress.AspNetCore.Reporting;
using DevExpress.DataAccess.Web;
using DevExpress.XtraReports.Web.Extensions;
using Microsoft.AspNetCore.Authentication.Cookies;
using Microsoft.AspNetCore.Builder;
using Microsoft.AspNetCore.Hosting;
using Microsoft.Extensions.Hosting;
using Microsoft.Extensions.Logging;

var builder = WebApplication.CreateBuilder(args);

builder.Services
    .AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
    .AddCookie();
builder.Services.AddScoped<IUserService, UserService>();
builder.Services.AddScoped<ISelectQueryFilterService, SelectQueryFilterService>();

var app = builder.Build();

app.UseAuthentication();

app.UseAuthorization();

app.Run();

In the ASP.NET WebForms or MVC applications you should register the DevExpress.DataAccess.Web.ISelectQueryFilterService service as follows:

DefaultQueryBuilderContainer.Register<ISelectQueryFilterService, SelectQueryFilterService>();

More Examples

Implement Row-Level Security

This example assumes that several users share the same database. The application sets the current user ID in SESSION_CONTEXT. Once the database connection opens, security policies filter rows that shouldn’t be visible to the current user.

Refer to the following example for the complete source code that implements the scenario listed above:

View Example: Reporting for ASP.NET Core - Implement Row-Level Security

The following image displays the registration form where you can select a user to see the report that displays filtered data based on your selection:

Web Reporting application

The following code snippet shows how to implement IDBConnectionInterceptor that filters data when the application connects to the database:

  1. Implement the IDBConnectionInterceptor interface (RLSConnectionInterceptor.cs in this example). When the database connection opens, store the current user ID in SESSION_CONTEXT. Modify queries to the Order table - filter data by user ID. This way you implement database behavior equivalent to connection filtering.

    using DevExpress.DataAccess.Sql;
using System.Data;

namespace WebReport.Services {
    public class RLSConnectionInterceptor : IDBConnectionInterceptor {
        readonly int employeeId;
        public RLSConnectionInterceptor(IUserService userService) {
            employeeId = userService.GetCurrentUserId();
        }

        public void ConnectionOpened(string sqlDataConnectionName, IDbConnection connection) {
            using(var command = connection.CreateCommand()) {
                command.CommandText = $"EXEC sp_set_session_context @key = N'EmployeeId', @value = {employeeId}";
                command.ExecuteNonQuery();
            }
        }

        public void ConnectionOpening(string sqlDataConnectionName, IDbConnection connection) { }
    }
}

  2. Register RLSConnectionInterceptor as an extension in IServiceCollection.

    var builder = WebApplication.CreateBuilder(args);

builder.Services.AddScoped<IDBConnectionInterceptor, RLSConnectionInterceptor>();

var app = builder.Build();