Crystal Reports Administration: Security Tips

One of the great things about Crystal Reports is how widely they appear to be used. Financial, Operational, Sales and Production reports all can be designed using the same application. Web Delivery using Crystal Enterprise or a Windows-based viewer can be used to process your report.

There is a lot of valuable intellectual property included in a report design. We can see why a report designer might want to protect this valuable investment. The open design of Crystal Reports makes this difficult.

We see several things you may want to hide from public view

• A complex formula or algorithm.
• Data access techniques including table joins and record selection.
• Conditional format of sections.
• Password protected fields and sections (possibly based on a parameter).
• Techniques to stop a report being reprocessed with fraudulent intent.

Delivering reports as HTML or PDF can protect the information hidden inside the database and report, but essentially, anyone with the Crystal Report designer can open the report and see how the report was built.

In the past, we have looked at different ways to secure a report design. Various methods suggested include:

1. Compile the report into an application. The reports are embedded inside the EXE so are not external rpt files available to Crystal Reports. Many commercial applications take this approach.
2. Store your reports on a Web server and only deliver via HTML and the web browser. Crystal Enterprise is an example of this approach.
3. Encrypt the files and only decrypt the files when the viewer needs to process the files.

These all sound great. However, one of the functions available inside all these report viewers is the ability to "Export" the report. As long as you have this available, you can export to a Crystal Report format and then use your report designer against the exported copy of the report.

Our view is that you would have to disable the export to the Crystal format to keep your report secure. Any security attempt that doesn’t do this leaves a big hole.

So here is a challenge to our readers. How can you deliver a solution to your customers that stops them from looking at the rpt design itself?

The Challenge

• You have a report with some proprietary technique from the list above.
• Your users need to be able to process the report against a live database. This can be on any method you wish including a web browser or custom windows application.
• Your users need to ability to export your report to several formats including XLS and PDF.
• You need a way to hide the proprietary technique from discovery.

This article will be updated with solutions to this challenge. Please come back at the end of May!

See our related article: Crystal Reports Administration: Security Issues.

This article is copyrighted by Crystalkeen, Mindconnection, and Chelsea Technologies Ltd. It may be freely copied and distributed as long as the original copyright is displayed and no modifications are made to this material. Extracts are permitted. The names Crystal Reports and Seagate Info are trademarks owned by Business Objects.