May 28, 2009 at 7:50 am
We have a Dell PowerEdge running Windows 2003 Server Std Edition R2 SP1. On this machine we have installed SQL 2005 Std Edition (unclustered) running v.9.00.2047.00.
The SQL components installed are the database engine, SSRS, SSAS, SSIS. All of these components work correctly apart from an issue with SSRS security.
The problem appears to be with the BUILTIN\Administrator account. When we open SSRS in Management Studio, right-click Home and click Properties from the menu we have:
A security group called ‘domain\xyz’ :
created in Active Directory and contain around 50 users
The permissions assigned to the security group are: ‘Browser’ only (check-box).
BUILTIN\Administrators:
this was there by default
The permissions assigned are: ‘Content Manager’ only (check-box).
Another security group called ‘domain\abc’ :
Created in Active Directory and contain SuperUsers (5 people)
The permissions assigned are: ‘Content Manager’ only (check-box).
We would expect to browse to the SSRS site, e.g. http://
If ‘xyz’ : Browse (read only) reports;
If ‘abc’ : Adminster the reports (add/remove/amend) report(s).
The problem we have is that we think the BUILTIN\Administrators account is overriding the other two Security groups in the list (as mentioned above). The outcome is that no matter if you are a member of abc or xyz you have Administrative permissions on the reports site.
What we did recently is that we deselected ‘Content Manager’ for BUILTIN\Administrators and found that the ‘abc’ and ‘xyz’ members could only Browse, but the ‘abc’ users should also be able to Administer the reports site.
This echoes the fact that the BUILTIN\Administrators account overrides the permissions for ‘abc’ and ‘xyz’.
Please can someone help us?
June 4, 2009 at 3:03 pm
Here is what I would do in such case. In fact this is what we have in our project.
Let's say you simply have two different groups of users,
1) with Administrative rights/Developers
2) Report Users who just runs reports that's it.
In this case. go to your Report Manager Site.
On right hand side you have Site Settings. Click on that.
then go to " Configure Item Level role definitions"
Here, click on Report Viewer:
You will find all different tasks assigned to this Role.
You need to check only two of the tasks from the list. those are: View Folders and View Reports.
Click on OK.
So here you modified your report viewer role.
Now go back to home page on Report Manager.
Click on folder that you wanna configure for security.
Click on Properties.
Click on Security.
Click on New Role assignment and assign your domain group/User to this new created role: Report Viewer. Make sure you check only one role there. There you are all set on Reporting Services Side.
Now, on Windows side you need to make sure that these users are not part of BUILTIN\Administrators GROUP by any chance. If they are then there is no use of Report Viewer Role we just created. So remove intended users from BUILTIN\Administrators Group and assign new domain group for them. and then go back to report manager and assign this new domain group to Report Viewer Role for specific folder and report both.
Hope this helps. Let us know if it works or not for you!!!
-RP
Viewing 2 posts - 1 through 1 (of 1 total)
You must be logged in to reply to this topic. Login to reply