SSRS Predefined Roles Overview
Predefined Roles Overview
Reporting Services includes a small set of predefined roles that relate to report-related functions commonly performed in an organization. You can modify these roles or replace them with roles.
The following table describes the predefined roles.
| Use this predefined role | For users and groups who need to |
|---|---|
| Browser Role | Run reports and navigate through the folder structure. |
| Content Manager Role | Define a folder structure for storing reports and other items, set security at the item level, and view and manage the items stored by the server. |
| Publisher Role | Publish content to a report server. |
| My Reports Role | Build reports for personal use or store reports in a user-owned folder. |
| System Administrator Role | Enable features and set defaults, set site-wide security, define create role definitions, and manage jobs. |
| System User Role | View the schedule information in a shared schedule, or view other basic information about the report server. |
Because much of a company's data is sensitive and should not be seen by everyone, data protection is a priority. In this tip, we will cover the SSRS security model and talk about how you can leverage it to lock down your SSRS environment.
Overview
SQL Server Reporting Services security is managed on two levels: the SSRS site and on items within the site. At each level, the tasks that users can perform are managed via roles. Roles are just groups with certain tasks assigned to them and members of the role can perform the assigned tasks. It's that simple. Taking some time to create appropriate roles and assigning users accordingly will ensure that your SSRS site, and the reports it houses, are secure.Site-level security in Reporting Services 2005
The first level of security is site-level security. On the SSRS site as a whole, you can manage the tasks your users are allowed to perform. The tasks are fixed, and you need to create your roles with these fixed tasks in mind. At this level, you will be assigning "administrative" tasks to users. Standard users that just need to view reports will probably not require any permissions at this level of SQL Server Reporting Services, beyond the ability to view properties and schedules and execute report definitions. Here are the tasks you can assign to roles at the site level:- Execute Report Definitions allows a user to run a report definition without first loading the definition onto the SSRS server. This is required if you want your users to run report definitions from applications separate from SSRS, such as the Report Builder.
- Generate Events allows applications to generate events in the SSRS namespace.
- Manage Jobs permits users to view the jobs that are running on your SSRS server and cancel them if necessary.
- Manage Report Server Properties is a task that allows users to manage properties of the report server, as well as the items managed by the report server.
- Manage Report Server Security allows users to view and modify the members of your system-level roles.
- Manage Roles permits users to create, view and modify the role definitions. These users can change the tasks that are assigned to your roles.
- Manage Shared Schedules. SSRS contains shared schedules that can be tied to report execution; this task will allow users to manage these schedules.
- View Report Server Properties lets your users view, but not change, the properties of the report server. This task is implied if the role has the Manage Report Server Properties task assigned.
- View Shared Schedules lets users view, but not change, the shared schedules on the report server. This task is implied if the role has the Manage Shared Schedules task assigned.
Take a look at the screenshot below. To create new roles, click Site Settings in the top right corner of the Report Browser and then select Configure system-level role definitions under Security. This will open the System Roles page: To create a new role, click the New Role button. This will open the New System Role page, shown in the screenshot. All you have to do now is name the role, give it a description, and then select all the tasks you want this role to be able to perform. When you're done, click OK.
( Click on image for enlarged view.)
To assign users to this newly created role, go back to the site settings screen and select Configure Site-wide Security. This will open the System Role Assignments screen and you can simply click New Role Assignment to add new Windows users or groups to one of your SSRS system-level roles.
Item-level security in Reporting Services 2005
Item-level security is managed in much the same way as site-level security. You still work with roles and tasks, but the role assignment is done on a per-item basis. In other words, a user in the Browser role for one folder may be in the Content Manager role on another folder. Here are the tasks that can be assigned to item-level roles:
- Consume Reports allows users to read report definitions. This is a fancy way of saying "these users can run reports."
- Create Linked Reports allows users to create links between columns from one report to another. Users can also publish these reports to a folder.
- Manage All Subscriptions is a task that permits the user to view and manage other user's subscriptions to an item.
- Manage Data Sources lets the user create and delete shared data sources in SSRS.
- Manage Folders allows users to create and delete folders in SSRS. They can also modify the properties of existing folders.
- Manage Individual Subscriptions permits the user to create, view and modify subscriptions the user owns.
- Manage Models is a task giving the user rights to create, view and modify models.
- Manage Reports allows users to create and delete reports.
- Manage Resources lets users create, modify and delete resources in a folder. Resources are items such as shared schedules.
- Set Security for Individual Items is a task that permits the user to manage security for reports, folders, resources and shared data sources.
- View Data Sources lets the user view the properties of shared data sources.
- View Folders allows a user to view folders and folder properties.
- View Models authorizes users to view models and model properties.
- View Reports lets a user view reports in the folder hierarchy. This does not, however, allow users to run reports -- for that they require the Consume Reports task.
- View Resources lets a user view resources and resource properties in folders.
As with system-level roles, there are some built-in item-level roles you can use when assigning permissions in this area of SQL Server Reporting Services. If these roles aren't enough, you can build additional roles and assign users any combination of the item-level tasks we just looked at. The built-in item-level roles are as follows:
Now, let's get down to the details. To manage these roles, you have several options. Item-level security can be applied to a folder, report, data source or resource. To give SQL Server users permission to an item, you need to open that item and view its security properties. When you add a user, you also have to assign a user to a role for that item. In the case of folders, the role a user is assigned at the top-level folder will, by default, be inherited by other items inside that folder. You do have the ability to override security on a lower-level folder of item-level security.
At this point, the security of your SSRS server is entirely up to you. You can create different folders for each department and assign only employees in that department with access to that folder. Within each department folder, I like to create an additional folder for sensitive reports and further lock that folder down to the appropriate users. Take some time and really plan out how your reports will be placed on the server and how you want the security to look. When using SQL Server Reporting Services, there is no reason that all of your reports, regardless of sensitivity, can't be stored in a single report server.