I am attempting to set up a new user that has only the ability to run reports in the report manager.
I have created a new ActiveDirectory entry for DOMAIN\ReportUser. I have a created a new folder with the reports, and have set this user as a Browser role on this directory, and all reports in the directory.
I have made it throught the security maze to gain access to these reports as this user, but I cannot dynamically run the reports. As the BUILTIN\Administrator (content manager), I get a grayed background on the parameters and can run the reports. As this DOMAIN\ReportUser, I get what looks like HTML parameter items, and cannot run a dynamic report. Even if I change the role of this user to Content Manager, I still cannot run a dynamic report.
How do you properly set up a user to be able to dynamically run, and only run, a report in Report Manager, and have this user only see reports in a single folder?
I have been fighting the security issues of creating a RS site and properly setting up access, and have yet to find a single site or person explaining the entire process in any coherant method.
Mark
Hello Mark,
I'll tell you how I have mine setup for users only being able to run certain reports.
First off, I created a new item-level role (Site Settings -> Configure item-level role definitions) called Report Viewer and assigned it the 'View reports' & 'View Folders' task. I created my own role just to give the basic amount of permission needed. Then, go to the folder with the reports in it and hit Properties -> Security. Select 'New Role Assignment', check the box for 'Report Viewer', and type the name of your user in the 'Group or user name:' box.
Now, the specific user/group can view the folder and run the reports underneath.
You could also change the security on specific reports instead of the folder if you only want the user(s) to run certain ones.
Hope this helps.
Jarret
|||Jarret,
This is along the lines as to what I have tried.
Here is a little more about what I am experiencing:
I have a RS management site (e.g. report1.myurl.com/reports) the when I log in (i.e. I get the windows "Connect to report1.myurl.com" login form) with the builtin\administrator account I get full access to all report folders and functionality to manage the site.
I have a ActiveDirectory user Domain\ReportUser1, who is configured in RS as a 'Report Viewer' as you have described in your previous post. However, when I login with this User (i.e. I get the windows "Connect to report1.myurl.com" login form) I enter my Domain\ReportUser1 credentials, I have the same access to the RS management evironment as the builtin\administrator. It does not limit this user to only the folder I have given permissions to. I have checked the entire site, every configuration form, and through SQL2005 Management Studio for RS, and as far as I can tell, this user is set to only see the reports in this directory and does not have Content Manager status.
As an alternative, I have created a parallel named instance of reporting services (e.g report2.myurl.com/reports) and have set up the Directory Security Authentication on the Reports and ReportServer virtual directories to log in as the Domain\ReportUser1. These virtual sites point to the same SQL2005 instance of reporting services as the Default web site virtual directories, and I have access to the report uploaded there.
When I log into RS manager for this alternative site, I am now limited to view only the report folder that was configured for this user, however, I still have the ability to upload files, create folders and database connections (Which I should not, based on the role-based permissions set for this user). In addition, when attempting to run the reports, I do not have access to run them. I.e. Normally the parameters have are in the ReportViewer ActiveX-based control, along with the export, print, refresh, etc. (this has your report parameters in a gray background). When I run for this alternative site, the parameters are visible as what looks like HTML controls and any attempt to run the report returns message:
The selected report is not ready for viewing. The report is still being rendered or a report snapshot is not available. (rsReportNotReady)
The security involved in Reporting services is extremely frustrating to set up properly, as you not only have the windows, sql and IIS security stars to align to even gain access to the RS site, you then need to configure these Roles, which do not seem to be filtering a ActiveDirectory user's access to these reports as I would expect.
What am I missing?
|||I'm having the same issue. Can you keep me in the loop....sql
No comments:
Post a Comment