One of my reports has tight security issues that come with it. I have integrated windows authentication so that the logged in user's credentials are passwed as a parameter to the stored procedure that is called. That parameter is marked as HIDDEN, which works perfectly for ad-hoc calls by end users to the report. My security loophole seems to come in when the end user schedules a subscription. The "user id" parameter is then no longer hidden and the end user can schedule the report to run with any other user's id that they wish to. If the subscription is still in the system I can read the Subscriptions table and see that "Bob" has asked for the report to run as though it is really "Sam." But the problem is if they remove that subscription, the ExecutionLog records the fact that the report was run for "Bob" as the parameter, but it runs under the admin account of course, and there is no record (that I can find) of who the report was emailed to. Is there a way I can find out who reports were emailed to when they were executed as subscriptions?

Hi Dalton, For a E-Mail subscription, the "To" addresses are recorded in the ExtensionSettings in the subscription. Each time the subscription is fired, the subscription will use the same settings in the table to deliver the report. So, in order to find out who reports were emailed to, please check the "To" element in the ExtensionSettings directly. If there is anything unclear, please feel free to ask. Thanks, Jin ChenJin Chen - MSFT