I happen to be setting up a reporting server at work from scrach. Having very little almost no experience of sql server administration I am finding it really difficult to configure the security settings for the Reports Manager.
I do understand all the users who will be accessing Reports Manager will need permissions on Two Levels
1 – Permission to Access Data from sql server. (for which after some research I have decided to make use of datareader role.
2- Permission to Access Reports Manager for which I have choice to choose from Reports Manager Roles such as (Browser, Content Manager etc etc.)
For reports manager I have created a new Role with only permissions to View Reports.
Problem
With all these Security Filters in place yet when I added a Domain User Account to Reports Manager, The user can navigate anywhere on the Reports Manager (Can access folders , DataSources and reports they don’t have permissions on).
I do not want Users to view Data Sources or any other folders or Reports that they don’t have permissions on.
What I have Tried So Far
1- Added a user to One folder on the reports Manager, Yet they can navigate to any other Folder on Reports Manager.
2- Added a user to just one report , again they can navigate to any other Folder on Reports Manager.
3- I was using a virtual account for SSRS Service Account, Removed that and tried on all other 3 built in accounts for service account, LocalService, LocalNetwork & LocalSystem. (Not sure if this would have made difference).
All these efforts in vain as , whenever a user is added to any one report or folder they can navigate to all the other folders and reports and can actually execute reports.
Users had the datareader role assigned in Sql Server and a Custom Role on Reports Manager who has permissions only to View Report.
I have set the reporting services to use the default windows authentication. It is Sql
Server 2008 R2 Reporting Services. Data Centre Edition.
Please any advice or any direction would be a great help. I have been reading BOL but nothing has helped as yet.
Best Answer
Normally in SSRS you would use the SSRS management interface (/ReportsManager IIRC) to set user roles/perms by folder. They are normally inherited by subfolders though you can override that. The role 'browser' is most appropriate for end users as it allows them to run / view reports but not much more. If you grant a user 'browser' access for folder but not B then they will not be able to access folder B unless it is either a sub-folder of A (by default granted the same perms as A) or unless B is a sub-folder of another folder the user has 'Browser' access to.
You probably should not be granting domain users any rights directly with-in SQL Server. The various accounts that SQL Server itself uses as well as administrative accounts should be configured with-in SQL Server. End user access to SSRS is controlled by SSRS based on rules entered into SSRS.