SQL Clone
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


BUILTIN\Administrators account overrides the permissions


BUILTIN\Administrators account overrides the permissions

Author
Message
Jitendra-974613
Jitendra-974613
Forum Newbie
Forum Newbie (5 reputation)Forum Newbie (5 reputation)Forum Newbie (5 reputation)Forum Newbie (5 reputation)Forum Newbie (5 reputation)Forum Newbie (5 reputation)Forum Newbie (5 reputation)Forum Newbie (5 reputation)

Group: General Forum Members
Points: 5 Visits: 96
We have a Dell PowerEdge running Windows 2003 Server Std Edition R2 SP1. On this machine we have installed SQL 2005 Std Edition (unclustered) running v.9.00.2047.00.

The SQL components installed are the database engine, SSRS, SSAS, SSIS. All of these components work correctly apart from an issue with SSRS security.

The problem appears to be with the BUILTIN\Administrator account. When we open SSRS in Management Studio, right-click Home and click Properties from the menu we have:


A security group called ‘domain\xyz’ :
created in Active Directory and contain around 50 users
The permissions assigned to the security group are: ‘Browser’ only (check-box).

BUILTIN\Administrators:
this was there by default
The permissions assigned are: ‘Content Manager’ only (check-box).

Another security group called ‘domain\abc’ :
Created in Active Directory and contain SuperUsers (5 people)
The permissions assigned are: ‘Content Manager’ only (check-box).

We would expect to browse to the SSRS site, e.g. http:///reports and depending on the membership status for the user accessing the reports site, i.e. if I am a member of xyz or abc, then I should be able to:

If ‘xyz’ : Browse (read only) reports;
If ‘abc’ : Adminster the reports (add/remove/amend) report(s).
The problem we have is that we think the BUILTIN\Administrators account is overriding the other two Security groups in the list (as mentioned above). The outcome is that no matter if you are a member of abc or xyz you have Administrative permissions on the reports site.

What we did recently is that we deselected ‘Content Manager’ for BUILTIN\Administrators and found that the ‘abc’ and ‘xyz’ members could only Browse, but the ‘abc’ users should also be able to Administer the reports site.

This echoes the fact that the BUILTIN\Administrators account overrides the permissions for ‘abc’ and ‘xyz’.

Please can someone help us?
Bajrang
Bajrang
SSC Eights!
SSC Eights! (874 reputation)SSC Eights! (874 reputation)SSC Eights! (874 reputation)SSC Eights! (874 reputation)SSC Eights! (874 reputation)SSC Eights! (874 reputation)SSC Eights! (874 reputation)SSC Eights! (874 reputation)

Group: General Forum Members
Points: 874 Visits: 248
Here is what I would do in such case. In fact this is what we have in our project.

Let's say you simply have two different groups of users,
1) with Administrative rights/Developers
2) Report Users who just runs reports that's it.

In this case. go to your Report Manager Site.
On right hand side you have Site Settings. Click on that.

then go to " Configure Item Level role definitions"
Here, click on Report Viewer:
You will find all different tasks assigned to this Role.
You need to check only two of the tasks from the list. those are: View Folders and View Reports.
Click on OK.
So here you modified your report viewer role.

Now go back to home page on Report Manager.
Click on folder that you wanna configure for security.
Click on Properties.
Click on Security.
Click on New Role assignment and assign your domain group/User to this new created role: Report Viewer. Make sure you check only one role there. There you are all set on Reporting Services Side.

Now, on Windows side you need to make sure that these users are not part of BUILTIN\Administrators GROUP by any chance. If they are then there is no use of Report Viewer Role we just created. So remove intended users from BUILTIN\Administrators Group and assign new domain group for them. and then go back to report manager and assign this new domain group to Report Viewer Role for specific folder and report both.

Hope this helps. Let us know if it works or not for you!!!

-RP

-RP
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search