I am about to create a new web portal for my employer. Our data is sensitive and is stored on premise in an SQL Server.
Today we are using Sharepoint and SSRS (Sharepoint mode). Authentication is handled by smart cards and client certificate. Once the user is logged in, it uses a system account (in Sharepoint) and the user is basically anonymous. A user specific token is fetched (server side ASP.Net) by Sharepoint once the user logged in and is appended to the links to the reports as a query parameter. When the user views a report the token is used as an argument to a stored procedures which determines what content the user gets to see in the report.
What we want
The portal will be an ASP.Net Core application with Angular on the front end and I will embed reports from our on premise PBI Report Server using an iframe.
The requirement is, as is today, that the users should be authenticated with smart cards with the help of client certificates. This is not an issue on the portal side with custom authentication and a custom users table in our database. My concern is when the user wants to view an embedded (iframe) report.
One alternative is as what we have today, the user is anonymous, ie all users in PBI Report Server sees everything. And we use query parameters to filter data in the reports. This is very easily hacked just by looking in the source code of the page. Changing the query parameter reveals all information. additionally the filter pane the the right is populated by the filter and easily manipulated. An what I believe is that you cannot hide the filter pane.
The best alternative would be to create a custom authentication module for the PBI RS which we could pass some object/token/whatever from the portal to ensure who the user is. If this was possible I could begin to use Row Level Security, right?
Is this possible? What would your suggestion be? How would I do this? How do I map the user from the portal to a user in PBI RS?