September 19, 2008 at 10:40 am
Hello,
Mssql 2005/SP2 on win 2003 SP2
At the server level, the group xxx\Domain Admins has been added to local administrators group on SSRS/db server + DBA domain accounts.
At the database level, I've removed the BUILTIN\Administrators group. DBA domian accounts are explicitly mapped to sysadmin.
In out SSRS environment, the DBAs manage security/configuration ... (Site Settings ... System Administrator).
At SSRS web side, i can find no account (New Role Assignment) added by the name of xxx\Domain Admins .... yet anyone who is a member of the xxx\Domain Admins group can see/edit the entire SSRS environment from the web URL??
How is this group accessing the db or SSRS? How can this be controlled? Any thoughts/experiences?
Many thanks. Jeff
September 19, 2008 at 10:44 am
That seems correct - when they login they probrably cannot do anything if you click on databases though.
September 19, 2008 at 12:07 pm
Hi - the users can do quite a bit via the SSRS web front end ie: add/delete users ... abeit, they can't run an existing report ... just see all the properties
... but how are they able to access/use SSRS ???
Many thanks. Jeff
September 19, 2008 at 1:03 pm
If you open up the SSRS instance in Management Studio, right click on the instance, then click properties.
There is a "Perissions" page. That is where BUILTIN\Administrators is.
I've had mixed luck modifying this user in the past. On most servers, I can add domain logins just fine -- successfully removing the BUILTIN account. On one instance I cannot remove BUILTIN\Administrators nor can I add any domain logins.
The reports on this server were not sensitive and the domain admins would be lucky to even stumble across the RS instance, so I left it.
Good luck! I strongly suggest modifying it on a test instance first.
Kyle
Viewing 4 posts - 1 through 4 (of 4 total)
You must be logged in to reply to this topic. Login to reply