Report-Level SQL Objects

Beginning with version 2018.1, administrators have the ability to allow end-users to create reports using custom report-level SQL objects written in the end-user interface.

See Report Wizard: SQL Categories, for info on how end-users will be able to use this feature.

To enable Report-Level SQL, enable the following Admin Console setting:

( Feature/UI Settings ) Allow Creation of Custom SQL Objects

This is the first time that we have provided the ability for end-users to write SQL against the database directly. As such, there are some important security concerns to keep in mind before enabling this feature.


Protect your data from unauthorized SQL injection


Before enabling Report-Level SQL please read carefully and consider the following information.

This feature allows report writers to execute arbitrary SQL commands against data sources they can access. By default this is ALL sources except those you have specifically excluded.

Contact your database administrator to ensure that the connection string has READ-ONLY access. Do not enable Report-Level SQL without a restricted connection string for each allowed source.

Furthermore, because Report-Level SQL bypasses the Admin Console data model, Role (row-based) and column tenancy restrictions on data objects have no effect. Therefore, ensure that the connection string also restricts viewing and joining to unauthorized tables and schema.

Exclude unauthorized sources from Report-Level SQL by entering their names, surrounded by quotes (") and separated by commas (,), in the Admin Console field Data Sources to Exclude from Custom SQL Object Creation.



Note: This prohibits creation, but not execution, of Report-Level SQL reports with these sources.

You can deny Roles access to Report-Level SQL by setting the following Role field to False:

( Role | General ) Allow Creation of Custom SQL Objects in Advanced Reports

This prohibits creation and execution of reports with Report-Level SQL. To permit execution, enable the following setting: 

( Role | Objects ) Allow User to View Report-Level Custom SQL Objects

Please be cautious with your data.

Hidden Article Information

Article Author
Exago Development
created 2018-05-01 20:45:35 UTC
updated 2019-05-16 21:00:00 UTC

data, security, custom, category, injection, table, database, sql, source, warning, prevent,
Have more questions? Submit a request