salesforce - report permission issue data missing - security

Depending on the user, report data is missing when viewed via the dashboard.
-In security settings I gave organization-wide read/write permission.
-The reports are based on a two custom data objects with a master/child relationship (which is also set as read/write.)
-The report folder is also set as "read/write" and all users have permission.
Anything else that I forgot to check?
Thanks!

What error do you experience? "Insufficient privileges"? Or maybe report loads fine but just shows 0 rows?
When drilling down to the detailed report you need to make sure that
viewing user has at least Read permission in his Profile on both the master and child object
he must also has read permission to all fields used in the report (columns as well as filters. And if any of them is a formula -> check their source fields too).
Does the report use "My Opportunities" in the filters? Or unrealistic date criteria? If the dashboard wasn't refreshed in a while even date filters can cause you grief.
In some cases the Roles hierarchy is saved with the report - if the user sits in different branch of the role hierarchy than the dashboard's running user, you might have to flip it to your top level Role for example. Run the report, examine top part for Role names, adapt if needed and save it.
Perhaps the best way is to debug it is to login as this user and try to recreate this report from scratch. If you can't even select proper report type - this looks like scenario 1. If fields are missing - 2.

Related

(Nintex) Query User Profile returns missing values

Working in Nintex, I have a workflow that is kicked off when a form is saved. The workflow generates a PDF version of the Nintex form (we need actual signatures - digital in the future, fingers crossed). This is done by updating a word template, then converting to PDF.
When the word document is updated, the 'assigned to:' field is getting an AD account name instead of the user's First, Last name (which is expected). Now I'm trying to format it so it's more appropriate to the Hard Copy (in the Nintex form, it shows as Last, First).
I used a Query User Profile action, passed it the same variable I was using to hold the form's 'assigned to' value, and then used the drop down menu to choose the user profile variables I wanted (First, Last, also: username, account name, Distinguish name). All values are generating empty strings.
I've incrementally tried handing the values to variables that are of type String, Person, or Collection. I also handed it my username instead of the variable and set my account info for the login. I've always selected values, so I don't think it's a typo.
I'm at a loss... the workflow emails the user at the end, so it's getting the data. I hope that's enough info, I'm new to SP/Nintex so it could be a rookie mistake. Any help is appreciated.
Thank you!
I've seen issues where the User Profile Service properties have not been configured adequately, which leads to a lot of empty variables when running an LDAP Query action for AD attributes.
If this is the case, then one approach is to get the Farm admin (if you don't have access) to take a look at Manage User Profiles in Central Admin and see what AD attributes are mapped to the user profile. If mappings are changed you'll need to run a full sync to bring over the values. It can be inconsistent in my experience as well.

Implementing custom SSRS security within the report logic, in addition to ReportServer

SSRS Version 2008 (Not R2)
Hi all.
I am trying to implement custom security within a report being used for call center managers and agents. Here are my requirements:
Agents can see their own stats and no one else's stats.
Managers can see anyone's stats
I have a report that shows basic call center stats like # of dropped calls, on hold time, etc. The report has two parameters. One for #Date and one for #AgentID. We want to make sure the managers can view this report for any agent and the agents can see their stats and only their stats. I have tried a few techniques and would like to accomplish this within the report logic (stored procedure). My latest attempt involved capturing the current user's login (SELECT CURRENT_USER) and then bumping that up against a WHERE clause in the report's main SELECT statement. This seems to work fine in SQL/SSMS but does not seem to catch on when deployed as an SSRS report.
-- Sample user table
SELECT DISTINCT
ManagerID
,ManagerName
,LoginID
,'Manager' AS LEVEL
INTO #user_SOURCE
From dbo.AgentTable
UNION
SELECT DISTINCT
AgentID
,AgentName
,LoginID
,'Agent'
From dbo.AgentTable
UNION
SELECT
1
,'My Name'
,'mylogin'
,'Tester'
-- Then i have my simple SELECT statement that is inside a stored procedure and called by the report.
select top 1000 *
from dbo.CallCenterReportTable
where CURRENT_USER IN
(
SELECT
LoginID
FROM #user_SOURCE
)
The interesting thing is that i can do testing fine in SSMS, and i can even test it successfully in my local BIDS, but it only works in BIDS if i slightly adjust anything inside the report like page size, etc. Anything that would require a re-save of the RDL seems to make the security function as it should when viewing locally. That being said, the security will not work once deployed to the SSRS server. Even if I change the RDL slightly and redeploy, it does not work.
My last resort would be to create two reports that are almost identical. One would restrict use to only call center managers by AD role. The other would be open to agents and would utilize the USERID internal parameter in SSRS (WHERE USERID=#AgentID). I would really like to avoid having two reports if at all possible.

How do we make a crystal report print only specific fields based off of the user running the report?

We use a construction software, Viewpoint. We need a report to print the GL Accounts associated only with the user running the report. I was wondering if anyone had any ideas on how I could easily and efficiently achieve this? My "last-resort alternative" is just creating separate reports for each GL that pulls only that GL's info.
It depends on how the accounts are associated to the user. If there is a link, you can simply create a user parameter that asks for the user name. Then in the record select of the report you only pull accounts that match the user name in the parameter.
So, for example your parameter is called {?userName}. In the Record Select the formula would something like {Accounts.Salesman} = {?userName}, where {Accounts.Salesman} would be the field that links the user with the account.
You can get the current user name and use it to filter the records in your report. There are 2 ways to do this :
create a parameter, hide it and automatically fill the value. You
will need a special viewer for this scenario. Let me know if this is
what would you prefer I can give you some links. If you leave the
parameter visible the user can insert any value and view any records
use an UFL . For example this one:
http://www.viksoe.dk/code/u2lwin32.htm provides a function LoginName
which will return currently logged user. There are other UFLs which
support similar functionality, check if your company is already
using something . This one is free. You need to register the UFL on
each system which will run the report . Once registered the
available functions will become available for formulas.
I personally prefer the viewer solution because it is more flexible and will cover other scenarios too. However if you need just the username UFL will be a better approach.

How can i provide role based security to notes in MS CRM 2011

I am working on Notes in MS CRM 2011.
I have many roles over many entities.
I want role based security to notes for any entity records.
let me explain what i want:
Suppose i have an entity namely E1.
Role R1 and R2 has read and write access to E1.
But i want that user having role R2 can only upload and view notes for any record of entity E1.
Hope now my requirement is clear to all of you.
Please suggest me how can i achieve it using MS CRM 2011.
I can think of two ways to do this.
You can create a plugin on create/update of the annotation(note) and check if the note is related to entity E1 and check the roles of the user making the change and see if they only have the R2 role. If that is the case you can throw an InvalidPluginExecutionException with a message like 'You do not have permissions to edit/create these records'.
You can try using role based forms or JS to hide the notes area for R1 users.
You probably want to use a combination of #1 & #2. The users can still access the notes via advanced find and thus will be able to edit those notes. The plugin will prevent that fringe case as well.
*Edit
There are a couple more things that you might be able to deal with the advanced find records. You can remove the annotation entity from advanced find via the unsupported method described here.
Otherwise there is one more thing you can do if you want to prevent those results showing up at all, and you want to stay supported. You can write a plugin on Post-RetrieveMultiple of the annotation entity to strip out the results directly from the return result. There are a couple downsides to this though.
You are executing your plug-in every time the retrieve multiple is called on the entity. So this code will need to be as efficient as possible since that delay will be noticeable by the end user whenever they retrieve these records.
Things like advanced find will display odd results. For example if your paging is set to 50 records and you strip out 10, they will only see 40 records on their page and the total record count will include the records you are stripping out.
Through roles i don't know a way to do that, because you configure the access to notes generic, so applies to all entities. You have to access with Javascript navigating in DOM. Check a example:
document.getElementById("notescontrol").contentWindow.document.getElementById("NotesTable")
You can check this with the help of a develeper tool in your browser.

Best way to implement RBAC with Access

I'm programming a new application with many users, a few roles and specific permissions for those roles. For that I want to create the following tables:
Users (ID,Login, password,..)
Roles(ID,Rolename)
User_Roles(User_ID, Role_ID)
Permissions(ID,PermissionName)
Permission_Roles(Permission_ID, Role_ID)
My idea was to build a function, which allows to check if a user has a specific permission to access a form. I would do that by creating Permissions/Rules like 'canReadFormX', 'canEditFormX' which would allow me to use one main function to check and perfom those specific rules and a function per form to call it.
Is that a way to go (or rather did I understand everything correctly regarding RBAC) or is that just far to complicated? Any advise is very appreciated!
It seems fair to me, and similar to what we have already set, for the first 3 tables.
You then have to solve the 'action' problem, ie to distribute permissions to use your appl's actions. I am not sure that your 'Permissions' proposal will cover all the situations, as you have to deal with 2 major categories of actions:
The 'Open form' actions, that you already have identified: you effectively have to define 2 levels of authorisation for each form: the 'view' right, and the 'update' right.
All other actions, such as form specific buttons or menus, that will allow you to run a specific action other than just opening a form (execute a report, make a specific calculation, automatically import or update data, etc).
One solution/My advice is to maintain 2 tables for this:
A 'Forms' table
An 'Actions' table
And the corresponding link tables:
A 'Form_Role' table
An 'Action_Role' table
With such a configuration, you are fully covered. You can even decide which role has the right to see a specific report on a specific form, as long as the corresponding action is accessed through a specific control or menu on the form.
Both Forms and Actions tables are very interesting as they both participate in your application metamodel...
EDIT: By the way, if you are on a domain, you can use user's domain credentials to control his\her access rights to your system. In this case you do not need to store a password in your RBAC system.

Resources