ASP Report Wizard Security Issues

User-Level Security
Data Access Security
Password Protected Reports
File System Security

User-Level Security

You can use the current user's ID to put certain restrictions on what resources they have access to.
The ASP Report Wizard fulfills this requirement by exposing three simple properties: CanAdd, CanDelete and the CanEdit properties for creating and updating reports. The IsAdmin property overides these three as specified.

Dim objWiz
Set objWiz = Server.CreateObject("AspWebSolution.ReportWizard2")

With objWiz
    'if an administrator
    If CInt(Session("UserSeqLevel"))>4 Then
        'do nothing - an administrator
    ElseIf CInt(Session("UserSeqLevel"))>2 Then
        'a data input clerk
        .CanDelete = False
    Else
        .IsAdmin = False
    End If
End WIth

'Make sure you initialize before adding any HTML text
objWiz.Init("PROVIDER=Microsoft.Jet.OLEDB.4.0;DATA SOURCE=C:\Databases\nwind.mdb;")

'put this where you want your reports
objWiz.DisplayReports

Set objWiz = Nothing

Also the HiddenTables property can be used for hiding or ignoring certain database tables & views you don't want showing up in the report wizard. e.g. you might want to hide a table that contains credit card numbers or passwords. You can also use the HiddenReports property to hide certain report groups from the current user. e.g. hiding Sales reports from a Human Resources employee.

objWiz.HidenReports = "HR,RD,Group3"
If Session("UserDepartment")<>"HR" Then
objWiz.HidenTables = "Employees"
End If

Alternative, you can use the UseReports and the UseTables property to use only centain reports or certain database tables and views.

...

Data Access Security

The user's identity can also be used to dynamically tailor the contents of the data displayed by adding the @USERID or @USERNAME system parameter to the report's filters.
This there reduces the records which the user has access to since they would be directly related to their @USERID. for example: performing a search on Orders when [Orders.OrderID] = @USERID. For more information on adding report parameters see the tuorial on adding report parameters.

...

Adding Report Passwords

To increase security, we added the capability of protecting your reports with passwords.
This can be done from the wizard dialog menu of the report's title & description screen. This password is securely encoded with the report's hash so as to prevente maintain its privacy.

...

File System Security

The ASP Report Wizard does not create any files and cannot access any system files.
The only file it uses is the reports.xml into which it saves its reports.
The ASP Report Wizard is a safe and sand-boxed component which only accesses the database for which a connection string is provided.

The ASP Report Wizard does not uses any Cookies or Session objects. It lives in realtime encrypted within the clients browser.

You can also hide your report files remotely on a securely drive. If you do this, all you have to do is set the report's file using the ReportsFile property as shown below:

'set your reports file location before you initialize
objWiz.ReportsFile = "/secure/data/showcase.xml"

'Make sure you initialize before adding any HTML text
objWiz.Init("PROVIDER=Microsoft.Jet.OLEDB.4.0;DATA SOURCE=C:\Databases\nwind.mdb;")

...