I've been trying to figure this out and it's driving me crazy. I'm trying to restrict access to the Site Settings option on the home SSRS screen. Nothing I do as far as setting roles seems to make a difference. Everyone in the company who clicks on the link can edit the Site Settings. I am the only user as Content Manager and System Admin.
I don't know where to look next. Has anyone come across this before?
Here's a picture of what I'm talking about - http://i.imgur.com/6I8xaZg.jpg
Initially, only users who are members of the local administrators group can access a report server. A local administrator always has permission to fully manage a report server instance. So please check your company guys are in local administrators group.
See: https://msdn.microsoft.com/en-us/library/ms156014.aspx
Related
I have inherited an SSRS environment which is a mess; Folders named only with numbers, hundreds of reports not accessed in the last 2 months (I checked ExecutionLog), etc..
I wanted to achieve two things…
Because every other day someone asks for read access to random reports, is there any way of making it “public”, meaning anyone can read and open ANY report?
I want to revoke “folder/report creation/move” access to everyone; can it be done without going folder by folder?
Related to it, the other day I found another SSRS box, that had this access?! What is that “everyone” is it a group inside my domain, or is it an SSRS feature that you can make it public so anyone can access?
That Everyone group looks like a domain account that your organisation has created. At least, I have never come across it.
To grant access to everyone that has a windows login, you can use NT AUTHORITY\Authenticated Users and set their permission to just Browser which will prevent creation or modification of Folders or Reports.
Regarding removing permissions from your items, your options are to either go item by item or bulk update the ReportServer database, which is not supported by Microsoft. You break something, you're one your own.
A big thing you will need to watch out for with opening up every report to every user is whether or not there is any confidential or sensitive information in any of the reports. Your organisation will not want low level staff looking at executive, cross company summaries nor will HR want their reports visible to anyone other than themselves.
You can export ALL permissions from SSRS using PowerShell.
I've also detailed a script that allows you to revert every folder to "inherit parent security" so you can control every folder by simply setting the home folder security. Sorry for the shameless plug but I blogged about both in April on SQLShack actually Managing SSRS Security using PowerShell
Both scripts are in that post. I hope that helps
Our IT Dept gave me an SSRS 2016 Dev Instance to play with. But I have two things that I need to figure out, as I've hit a dead end on:
The AppId I need to run our subscriptions under. It's needed to be setup on the SSRS Server to allow Local Login or the reports would not work.
Can some explain why we would need to allow login locally? Or even if it's the correct way to handle it, or should I be setting up something different for the AppId to work correctly?
I also need to be able to setup shared schedules. However when I click the settings gear, I only have 'My Subscriptions', and I understand I need 'Site Settings' to show up here.
What permissions do they need to setup in order for me to gain access to Site Settings?
Sorry, I'm not sure how to answer the first one. I think because SSRS is an additional service external of SQL Server it needs a local SQL Server login. Not really my forte.
By default there is a BUILTIN\Administrators role. The following link will describe who gets placed in the BUILTIN\Administrators role. Once you're in there, you can get to site settings and add your own security settings and shared schedules.
BUILTIN\Administrators info link
Hope this helps.
I am an db admin on the server. I have granted the user with "SYSTEM user" on site setting, "Content Manager" on the Home folder, and also "Content Manager" on the her folder XXX.
However, she cannot deploys her report on BIDS and get this error instead:
The permissions granted to user 'WMSERVICE\xxx' are insufficient for performing this operation
I have gone through many site and most of the suggestion is to run it back as Administrator, or give her a SYSTEM Administrator privilege for the SSRS (this is the last resort that I should consider).
Any ideas?
Two things on SSRS:
SSRS has two permissions, roles and user levels. Giving someone a permssion role of admin to SSRS is not like giving them admin under Active Directory. Just to SSRS. You could always try that and see if that is the issue.
Is the user publishing to multiple locations with the:
Data Source(s)
Data Set(s)
Reports
Or are they self contained in the report itself?
They can tell by going into a Report Project and hitting properties and looking at their screen settings. If they are using 'Shared Data Sources' or 'Shared Data Sets' that adds more levels of complexity to the security issues as you have to deal with their deployment as well. If one of those report folders is different they may be getting denied. For a sub part of the total in which their deployment would tell them which object was failing and were at. Many times I have seen people NOT turn off the default for Data Sources which is root/Data Sources. SSRS can deploy a project, data source, data set, or report and it's dependencies. When in doubt give full access and verify it works, then remove access immiediately. Then trouble shoot deployments. It is probably a folder not being given rights to and then deployment is going for that folder first would be my guess.
I'm having trouble figuring out how to setup user access rights for project portals in TFS 2010.
The permissions granted to user XXXXXXX are insufficient for performing this operation (rsAccessDenied)
I've tried adding the user to the various admin groups in TFS but the problem seems to only be related to Reporting Services permissions.
I mapped this user to the RSExec role in the RS databases as well as made sure they had access to the IIS virtual directory. I've tried several of the solutions found through Google but many of them are for previous versions of TFS/RS and the options don't even apply, others don't seem to work at all.
Ideally I would like to add an entire domain group to the entire project collection so that they can access any project portal underneath it, I don't want to have to setup custom permissions on each project, let alone various web parts.
Use this tool: http://tfsadmin.codeplex.com/ to administer TFS/SharePoint/SSRS in a consolidated interface.
I've build an asp.net site with a report viewer control that displays reports hosted on our reporting services report server. Everything works great. But now I need to do the same thing with a public facing site, where I'll need to access my report server through the firewall.
My question is: How do I lock this down to make sure that the end user can only access certain reports?
I think that all I need to do is make sure my IIS, in my DMZ, can talk to the report server. But, I think I'll need to impersonate a user that only has access to the reports I want to make available. On the other hand, if my report server is only accessible from the DMZ, then I won't need to worry about the end user directly connecting to the report server. I seems like any report I want to serve to the outside world just needs to be accessible by the default ASPNET account? I hoping someone can confirm my speculation or tell me where I'm wrong.
I had this problem too. What I had to do was make sure that each report takes a parameter from the application. If your authenticated users have an role through a role provider, and public users do not, you could pass the role as a parameter to the report through the application. That way if a user is not authenticated, the parameter will be null, and the report will not execute.