Assembly Access on a Report Server

If an administrator grants an assembly access to the SessionManager API (which
wraps .NET Business Connector), then the assembly must be given the
AxSessionPermissionSet in the rssrvpolicy.config file on the report server.

NOTE: This is the recommended setting for business logic assemblies
(depending on the main report project name length, either .BusinessLogic.dll or
.BL.dll), and it is added by default for the business logic assemblies that are
created for a deployed reporting project. This includes the business logic
assemblies from referenced reporting projects.

Giving a custom assembly full trust in the report server security policy file allows
the assembly to directly access .NET Business Connector running under the
Business Connector proxy account. This is an account that has elevated
privileges that allows for access to the LogonAs functionality. In this case, the
assembly could impersonate any user and access their records.
Granting a custom assembly ReflectionPermission with MemberAccess could
allow the assembly to retrieve cached sessions from the session cache. Those
sessions are logged in for a specific user, and the custom assembly could have
access to that user's data.

The following code must be present in the custom code section of the RDL file if
the report is expected to make use of the SessionManager API:

Protected Overrides Sub OnInit()
Microsoft.Dynamics.Framework.Reports.SessionManager.BeginRequest(Report)
End Sub

Entries in the security policy file will not be created for any assemblies
referenced by business logic assemblies. 

Regards,
Hossein Karimi