September 6, 2016 at 6:37 am
Hi All,
I have almost 400 reports deployed at SSRS portal in 50+ folders which has sub folders too and user count is almost 300.
I am facing difficulty in maintaining rights and access permission. Every time I create a new folder, that folder is visible to everyone and I have to manually go and edit the permission and If have to remove say 10 users from 10 different folders then every time I have to go and edit in the security.
I was hoping to make some code dynamic which will utilize permission information from some setup table and then provide permission dynamically.
PLease let me know if anyone has even implemented or some more other idea to solve the issues.
Thanks
Regardss
September 6, 2016 at 11:31 am
Permissions in SSRS are by default inherited from the parent. The chaining of permissions can be broken by granting item level permissions - you get a pop up warning, can't remember the text, when you do this.
If everyone has permissions at the base level or the home page, then that is going to inherit down when creating new folders. Sounds like everyone has permissions at the Home page level. If you want permissions at the folder level, remove the higher level permissions and just grant on the folders and reports themselves.
Sue
September 7, 2016 at 1:31 am
Thanks a lot for your reply.
I have given permission to user in Home--> Folder setting. If I try to remove user from Home page folder setting and directly give permission at folder level then user gets an issue while accessing the folder " User ( user ID ) doesn't have required permissions. Verify that sufficient permission have been granted and windows user account control (UAC) restrictions have been addressed ", that is the reason I have given permission at Home page. because of this permission any new folder I am adding then everyone is able to see that folder and I have to go manually and edit the permission every time I am adding a new folder.
please suggest something
September 7, 2016 at 11:59 am
BI_NewBie (9/7/2016)
Thanks a lot for your reply.I have given permission to user in Home--> Folder setting. If I try to remove user from Home page folder setting and directly give permission at folder level then user gets an issue while accessing the folder " User ( user ID ) doesn't have required permissions. Verify that sufficient permission have been granted and windows user account control (UAC) restrictions have been addressed ", that is the reason I have given permission at Home page. because of this permission any new folder I am adding then everyone is able to see that folder and I have to go manually and edit the permission every time I am adding a new folder.
please suggest something
That's the whole inheritance from the parent. So if you don't want users to see all of the folders, they either can't be browsers at the home level or you need to break the inheritance. If you don't want to break inheritance when creating a new folder than you would need some type of grouping of the folders and reports, grant access the folders and have users access those folders directly rather than going from the Home folder to other folders. They don't necessarily need to just access everything from the Home folder.
If you have a lot of reports, you do want inheritance but probably not from the top level down all the way through to all folders and items. You'd want to have some type of grouping of the organization, reports and the two usually go together with AD groups in some way. You can have folders with folders in them with folders in them. So a "high level" folder (one right under the root home folder) can have multiple folders which in turn can have folders, etc. And you can manage security within each of these individual folders. You could have a folder for the accounting dept, management, customer service. In the Accounting dept folder, you could have folders for the payroll group, receivables group, etc
If you have hundreds of reports and every report has it's own folder and is off of the home folder, it will inevitably be ugly to manage. You likely want to step back, look at the reports, what groups need access to which ones, how to best align that with active directory groups, etc and figure out a security (folder) structure for the report server that suits the needs of the company without becoming a management nightmare. Same ways that there are groups in Active Directory - if every user added to the domain would need individual security set on everything, it would be a nightmare. Figure out how you can use the groups and not manage everything individually.
Not sure if that helps but it sounds like you really want to think about the organization of the folders and the related security and how they need to be grouped to make the process more efficient and secure. Keep the security inheritence in mind and remember that you can break that chain anywhere in the folder to subfolder to subfolder chain. But you also want to use it to your advantage when possible.
Sue
Viewing 4 posts - 1 through 3 (of 3 total)
You must be logged in to reply to this topic. Login to reply