SSRS RLS Prototype | Vision and Scope Document

Vision and Scope Document | SSRS Prototype
Row Level Security (RLS)
Version 1.0

Vision and Scope Document | SSRS Prototype, Row Level Security (RLS)
© AIM Business Driven Data Solutions, 2019 Page 2 of 9
Vision
Pam Lehmann and Brian Leslie have identified a need to provide Row Level Security (RLS) a Microsoft Application (SQL
Server Reporting Services [SSRS]) to service new and existing Sales, Finance, and Operations reports. The source for
these reports originate from TricorBraun’s ERP system Microsoft Dynamics 365. There are two Dynamics 365
applications that are currently being considered as sources for this initiative. These Dynamics 365 applications are Sales
(CRM) and Finance and Operations. Below are the identified Executive Leadership and Stakeholders from TricorBraun:
• Jeff Douglas, VP Sales Effectiveness
• Bill Stultz, VP of Finance for System’s Controller, Finance (Executive Champion)
• Dave Duxbury, VP of Operations, GSC – Logistics (Executive Champion)
• Doug Bolen, Chief Information Officer
• Pam Lehmann, Director, Applications, IT
• Brain Leslie, Senior Reporting Analyst, IT
• Donovan Foster, IT Consultant, PMO, IT
• Sarah Thomason, Project Manager
• Mike Lang, Consultant - RSM
Due to the complexity of this initiative, it has been decided to complete a SSRS RLS Prototype before we complete the
final, expanded Vision Scope Document and the final Design Document. This Vision Scope Document is of limited scope
just for the prototype. As the team at TricorBraun identify and finalize the expanded scope, we will document and
append to an Expanded Vision Scope Document intended for the final design and development, not the prototype.
For the SSRS RLS prototype, we will be using the Daily Gross Profit Report. This SSRS report uses 1 main stored
procedure and a few stored procedures to support report parameters. RLS will need to be applied to the main stored
procedure as well as the stored procedures to support report parameters. The deliverable and timeline for the SSRS RLS
prototype depends heavily on how the stored procedures are built and how they query the Division, Region, and
Customer dimensions. This process will be different for each stored procedure for every SSRS report. In extreme
conditions, the stored procedures may need to be totally recreated to apply where clause filters early in the stored
procedure, or to apply more complex where clause filters using a case statement.
SSRS is not Role based security so an entitlement table will need to be created. The stored procedure logic (in all SPs)
will need to be able to determine from the entitlement table where to apply the where clause it the code. It is possible
that a case statement can be used to change the where clause based on what is stored in the entitlement table so that
during different cases, the where clause will filter the Division table, and in another case the where clause will filter the
region table. However, only one (1) table can be used to filter (Division, Region, or Customer). Understanding how this
will work and the impact on the star schema is a major reason for prototyping the SSRS RLS scenario. Complexities in this
SSRS prototype may extend the projected timelines.
Approach
The SSRS RLS prototype will require the entitlement table be populated with AD Usernames and one (1) table to filter
either Division, Region, or Customer. This table will also need all of the divisions, regions, or customers a user can see.
SQL Server Reporting Services (SSRS) 2017 and Visual Studio 2017 will be used to develop the RLS prototype for SSRS.
The SSRS prototype will use an entitlement table and modified stored procedures where the user's place in the

organization are used to determine which divisions, regions, and customers a user can access. The prototype will use an
entitlement table to apply RLS to the user's place in the organization for only one (1) of the following: divisions, regions,
or customers for any given user.
Our goal for these prototypes is to apply RLS to the most common security scenario, not the exceptions. We have agreed
to the idea that the prototypes should target the 80/20 business rule.
Deliverables
SSRS RLS has one (1) deliverable:
• Development RLS Prototype for SSRS Start Date: 3/28/2019 End Date: 4/18/2019
o Multiple personas plus Business User Personas (no AD Groups)
o A complex security model using division, region, and customer tables (to apply RLS), an entitlement table, and a
User (contains User Login ID) table.
o Apply RLS to 1 Identified SSRS Report and add Predicate Functions, Security Predicates / Policies, and DB Roles
o Uses production data for one (1) business defined test SSRS report, stored procedure and parameters
o Manual process to load the security entitlement table and the security User table with test data (minimal rows)
o 1 Entitlement table to store all Division, Region, and Customer security details as well as the AD User Name
Clarifications
These are the clarification for the RLS project:
• The SSRS prototype and development for RLS will use 1 identified SSRS Report and one (1) related Stored Procedure
• The business and IT teams will develop and maintain the one (1) identified SSRS report and one (1) related stored procedure
• The business and IT teams will develop and maintain the one (1) Entitlement table and ETL for this entitlement table
• The business and IT teams will develop and maintain one (1) security User table and ETL for this User table
• SSRS is not a modeling tool, so AD Group Names are not Usable with Security tables (only AD User Names)
• The business and IT teams will develop and maintain one (1) Invoice Star Schema and ETL for that Star Schema
• Effort estimates are based on 100% resource utilization. Sprints with less than 100% resource utilization, unplanned
maintenance, or non-concurrent development blocks of time may result in increased timelines and end dates.
How to get the Job Done
We will be using the following processes and tools to complete this project and deliverables:
• Azure DevOps (VSTS)
• Team Foundation Services, or Git (TBD), since both are used at TricorBraun for Source Control and Change Management
• We are limiting the work-in-progress by using properly planned deliverables
• PBIs, Tasks, and Kanban Boards will be used as part of Azure DevOps (VSTS)
o Product backlog
o Tasks
o Weekly PowerPoint Updates
o Sprints are not used at TricorBraun
• A scope change log for this document will be used to manage change in an Agile fashion
o Name
o Description (Impact)
o Version
o Requested By
o Approved By
o Date

Change Log
Name Description (Impact) Version Requested By Approved By Date

Appendix A | SSRS, RLS Security Tables
The RLS prototype and development use a complex security model using division, region, and customer tables
(dimensions to apply RLS), an entitlement table, and User (contains AD User Name) table.
Entitlement Table
ADUserName TotalCompany DivisonSecurityID RegionSecurityID AccountNum
tricorbraunryan.casey - - Reg_TX -
tricorbraunbleslie Yes - - -
tricorbraunplehmann Yes - - -
tricorbraunsthomason - Div_SW - -
tricorbraunklahiri - - Reg_TX -
tricorbraunszhang - - - 105288
tricorbraunpkurra - Div_SW - -
tricorbraunrkitsch - - - 105305
… Additional Users … … … …
Many
to
1
User Table
ADUserName
tricorbraunryan.casey
tricorbraunbleslie
tricorbraunplehmann
tricorbraunsthomason
tricorbraunklahiri
tricorbraunszhang
tricorbraunpkurra
tricorbraunrkitsch
… Additional Users

Appendix B | SSRS Security Flow Diagram
SSRS Report
Row Level Security | SSRS Security Flow Diagram
Parameter
Stored Procedures
Get @SecurityType
from Entitlement
Table (Division,
Region, Customer)
Where Clause Predicate
Select * from FinalResultsSet F
LEFT JOIN EntitlementTable E1
ON F.DivisonID = E1.DivisonID
ON F.RegionID = E2.RegionID
ON F.AccountNum = E3.AccountNum
WHERE CASE
WHEN @SecurityType = 'Division'
THEN F.DivisionID IN E1.DivisionID
WHEN @SecurityType = 'Region'
THEN F.RegionID IN E2.RegionID
WHEN @SecurityType = 'Customer'
THEN F.AccountNum IN
E3.AccountNum
ELSE 1
END IN COALESE(E1.DivisionID,
E2.RegionID, E3.AccountNum, 1)
Parameter
Stored Procedures
Get @SecurityType
from Entitlement
Table (Division,
Region, Customer)
WHERE CASE
E3.AccountNum
ELSE 1
Main
Stored Procedure
WHERE CASE
E3.AccountNum
ELSE 1=1
END
Get @SecurityType
from Entitlement
Table (Division,
Region, Customer)
Main
Stored Procedure
WHERE CASE
E3.AccountNum
ELSE 1=1
END
Get @SecurityType
from Entitlement
Table (Division,
Region, Customer)
** The case statement in the
Where clause needs to be proved
to work. If the example to the left
won t work, we will have to Create
a Comma Separated String when
we Get The Security Type.
WHERE CASE
THEN F.DivisionID
THEN F.RegionID
THEN F.AccountNum
ELSE 1
END IN @CommaSeperatedString
Get @SecurityType
and
@CommaSeperated
String
SSRS Report
Row Level Security | SSRS Security Flow Diagram
Parameter
Stored Procedures
Get @SecurityType
from Entitlement
Table (Division,
Region, Customer)
WHERE CASE
E3.AccountNum
ELSE 1
Main
Stored Procedure
WHERE CASE
E3.AccountNum
ELSE 1=1
END
Get @SecurityType
from Entitlement
Table (Division,
Region, Customer)
** The case statement in the
Where clause needs to be proved
to work. If the example to the left
won t work, we will have to Create
a Comma Separated String when
we Get The Security Type.
WHERE CASE
THEN F.DivisionID
THEN F.RegionID
THEN F.AccountNum
ELSE 1
END IN @CommaSeperatedString
Get @SecurityType
and
@CommaSeperated
String

Appendix C | Security Division ID
-- [Invoicing].[dbo].[DimDivision] with SecurityDivisionID
SELECT TOP (1000) [DivisionKey]
,[DivisionId]
,CASE
WHEN [DivisionId] = 'Central' THEN 'Central'
WHEN [DivisionId] = 'Div_CCE' THEN 'Div_CCE'
WHEN [DivisionId] = 'Div_Intl' THEN 'Div_Intl'
WHEN [DivisionId] = 'Div_MNA' THEN 'Div_MNA'
WHEN [DivisionId] = 'Div_NE' THEN 'Div_NE'
WHEN [DivisionId] = 'Div_NW' THEN 'Div_NW'
WHEN [DivisionId] = 'Div_Other' THEN 'Div_Other'
WHEN [DivisionId] = 'Div_PkgAll' THEN 'Div_PkgAll'
WHEN [DivisionId] = 'Div_PNW' THEN 'Div_PNW'
WHEN [DivisionId] = 'Div_SE' THEN 'Div_SE'
WHEN [DivisionId] = 'Div_SW' THEN 'Div_SW'
WHEN [DivisionId] = 'Div_Taipak' THEN 'Div_Taipak'
WHEN [DivisionId] = 'Div_WP' THEN 'Div_WP'
WHEN [DivisionId] = 'International' THEN 'International'
WHEN [DivisionId] = 'Midwest' THEN 'Midwest'
WHEN [DivisionId] = 'MNA_Div' THEN 'MNA_Div'
WHEN [DivisionId] = 'Other' THEN 'Other'
WHEN [DivisionId] = 'PNW_Div' THEN 'PNW_Div'
WHEN [DivisionId] = 'Taipak_Div' THEN 'Taipak_Div'
WHEN [DivisionId] = 'Unknown' THEN 'Unknown'
WHEN [DivisionId] = 'West' THEN 'West'
WHEN [DivisionId] = 'Wine' THEN 'Wine'
END [SecurityDivisionID]
,[DivisionDescription]
,[CreatedDate]
,[CreatedBy]
,[UpdatedDate]
,[UpdatedBy]
,[SortOrder]
,[IsActive]
FROM [Invoicing].[dbo].[DimDivision]
ORDER BY [DivisionId]

Appendix D | Security Region ID
-- [Invoicing].[dbo].[DimRegion] with SecurityRegionID--
SELECT TOP (1000) [RegionKey] ,[RegionId]
,CASE
WHEN [RegionId] = 'Acedo' THEN 'Acedo'
WHEN [RegionId] = 'Binkowski' THEN 'Binkowski'
WHEN [RegionId] = 'Borras' THEN 'Borras'
WHEN [RegionId] = 'Bottene' THEN 'Bottene'
WHEN [RegionId] = 'Briggs' THEN 'Briggs'
WHEN [RegionId] = 'Caldwell' THEN 'Caldwell'
WHEN [RegionId] = 'Canada' THEN 'Canada'
WHEN [RegionId] = 'Danheiser' THEN 'Danheiser'
WHEN [RegionId] = 'Davis' THEN 'Davis'
WHEN [RegionId] = 'DuClos' THEN 'DuClos'
WHEN [RegionId] = 'Europe' THEN 'Europe'
WHEN [RegionId] = 'Forbes' THEN 'Forbes'
WHEN [RegionId] = 'Gibbs' THEN 'Gibbs'
WHEN [RegionId] = 'Kliska' THEN 'Kliska'
WHEN [RegionId] = 'Logue' THEN 'Logue'
WHEN [RegionId] = 'Mexico' THEN 'Mexico'
WHEN [RegionId] = 'MidAtlantic' THEN 'MidAtlantic'
WHEN [RegionId] = 'MidMountain' THEN 'MidMountain'
WHEN [RegionId] = 'MidSouth' THEN 'MidSouth'
WHEN [RegionId] = 'Midwest' THEN 'Midwest'
WHEN [RegionId] = 'Muster' THEN 'Muster'
WHEN [RegionId] = 'Northeast' THEN 'Northeast'
WHEN [RegionId] = 'Northwest' THEN 'Northwest'
WHEN [RegionId] = 'Other' THEN 'Other'
WHEN [RegionId] = 'OtherRegion' THEN 'OtherRegion'
WHEN [RegionId] = 'PkgDesign' THEN 'PkgDesign'
WHEN [RegionId] = 'POD' THEN 'POD'
WHEN [RegionId] = 'PODRegion' THEN 'PODRegion'
WHEN [RegionId] = 'SalesInit' THEN 'SalesInit'
WHEN [RegionId] = 'Simpson' THEN 'Simpson'
WHEN [RegionId] = 'Small' THEN 'Small'
WHEN [RegionId] = 'Southeast' THEN 'Southeast'
WHEN [RegionId] = 'Southwest' THEN 'Southwest'
WHEN [RegionId] = 'Taylor' THEN 'Taylor'
WHEN [RegionId] = 'Texas' THEN 'Texas'
WHEN [RegionId] = 'Unknown' THEN 'Unknown'
WHEN [RegionId] = 'WinePak' THEN 'WinePak'
WHEN [RegionId] = 'Taipak_Reg' THEN 'Taipak_Reg'
WHEN [RegionId] = 'MNA_Reg' THEN 'MNA_Reg'
WHEN [RegionId] = 'PNW_Reg' THEN 'PNW_Reg'
WHEN [RegionId] = 'San_Fran_Reg' THEN 'San_Fran_Reg'
WHEN [RegionId] = 'Reg_CE' THEN 'Reg_CE'
WHEN [RegionId] = 'Reg_EU' THEN 'Reg_EU'
WHEN [RegionId] = 'Reg_MME' THEN 'Reg_MME'
WHEN [RegionId] = 'Reg_MNA' THEN 'Reg_MNA'
WHEN [RegionId] = 'Reg_MS' THEN 'Reg_MS'
WHEN [RegionId] = 'Reg_MW' THEN 'Reg_MW'
WHEN [RegionId] = 'Reg_NE' THEN 'Reg_NE'
WHEN [RegionId] = 'Reg_Other' THEN 'Reg_Other'
WHEN [RegionId] = 'Reg_PNW' THEN 'Reg_PNW'
WHEN [RegionId] = 'Reg_POD' THEN 'Reg_POD'
WHEN [RegionId] = 'Reg_SE' THEN 'Reg_SE'
WHEN [RegionId] = 'Reg_SF' THEN 'Reg_SF'
WHEN [RegionId] = 'Reg_SW' THEN 'Reg_SW'
WHEN [RegionId] = 'Reg_Taipak' THEN 'Reg_Taipak'
WHEN [RegionId] = 'Reg_TX' THEN 'Reg_TX'
WHEN [RegionId] = 'Reg_CW' THEN 'Reg_CW'
WHEN [RegionId] = 'Reg_MX' THEN 'Reg_MX'
WHEN [RegionId] = 'Reg_WP' THEN 'Reg_WP'
WHEN [RegionId] = 'Reg_PkgAll' THEN 'Reg_PkgAll'
END [SecurityRegionID]
,[RegionDescription],[CreatedDate],[CreatedBy],[UpdatedDate],[UpdatedBy],[IsActive]
FROM [Invoicing].[dbo].[DimRegion]

SSRS RLS Prototype | Vision and Scope Document

More Related Content

What's hot (20)

Similar to SSRS RLS Prototype | Vision and Scope Document (20)

Recently uploaded (20)

SSRS RLS Prototype | Vision and Scope Document