It sounds like you've added permissions on the report server website appropriately, so my first thought is about the datasource connection.

When you are in visual studio (BIDS) you create a datasource. I am wondering what credentials you've used in there. Those will be uploaded to the report server along with the datasource object.

On the report server home page, if you click the 'view details' button over on the right, it reveals the default hidden folder where the datasources are uploaded to. You can then look at the settings for the datasource and see what user credentials it uses.

The ideal way to manage this is to have an AD group in your domain that has very limited database access (read access to specific views or stored procedures used in reports). If your users are part of that group you can then use windows authentication in the datasource settings, and the individual users will pass their own windows credentials through the report server and on to the database. I'm assuming your datasource is SQL Server.

If you aren't able to do (or you are scheduling reports to run unattended) then the next best option is to have a specific reportuser created. I have used DOMAIN\reportuser on certain projects. This is a very limited user where the password does not expire. This user is set up with limited access on the SQL Server database as well as in the Report Server Configuration (ReportServerConfig.exe) on the report server itself - this is required for scheduled reports.

In the datasource properties you can then set it to use this user.

The final possibility is to create a SQL Authentication user on the SQL Database and set the datasource properties to use that user. It's the least recommended way but sometimes unavoidable.

My point in all this is that the folder and report level access granted on the Report Server website is separate from the datasource access. Hope that was clear.