March 26, 2009 at 2:23 pm
I am working on some financial DATA reports for Payroll.
When testing, I found that users with BROWSER role could change the Security setting for the reports that they can access. Even when I created a new Role which only has 'View reports' permission, the user with that role still could edit the security setting.
More precisely, by edit security setting, I mean the user can Delete any User (including himself); can add user and change user's role!
Is this a known bug? How to fix this? I want to set up a role that will limit the users can do nothing but view the reports.
I am using SQL Server 2005 Reporting Service version: Microsoft SQL Server 2005 - 9.00.4035.00 (Intel X86) Nov 24 2008 13:01:59 Copyright (c) 1988-2005 Microsoft Corporation Standard Edition on Windows NT 5.2 (Build 3790: Service Pack 2) .
March 26, 2009 at 11:01 pm
I have not had that happen; I am running multiple installs of SSRS. I'll check it out when I get to work again tomorrow ...
But I would check no groups are added that the user is part of, adding/removing security belongs to administrators only. Also that someone didn't modify the permission granted to the default roles.
Mohit.
Mohit K. Gupta, MCITP: Database Administrator (2005), My Blog, Twitter: @SQLCAN[/url].
Microsoft FTE - SQL Server PFE 
* Some time its the search that counts, not the finding...
* I didn't think so, but if I was wrong, I was wrong. I'd rather do something, and make a mistake than be frightened and be doing nothing. :smooooth:[/font]
March 27, 2009 at 7:16 am
Mohit, You are right.
I found that the user account I was testing with is part of the LOCAL Admin on the reporting server. Hence, no matter what role I was giving to the account inside the reporting service. It still is able to control the security of any reports.
I removed the account from the adm group and everything is working as expected.
Thanks for the helpful suggestion.
Cheers!
March 27, 2009 at 8:17 am
*cheers*, even though I have not implemented it. I have read recommendation where removing the Local Admin would be a good idea then not everyone has access to your report server.
That said I am not 100% sure of the affects; I would think it shouldn't affect it long as you make sure you add your self in before you remove it.
Thanks.
Mohit.
Mohit K. Gupta, MCITP: Database Administrator (2005), My Blog, Twitter: @SQLCAN[/url].
Microsoft FTE - SQL Server PFE 
* Some time its the search that counts, not the finding...
* I didn't think so, but if I was wrong, I was wrong. I'd rather do something, and make a mistake than be frightened and be doing nothing. :smooooth:[/font]
Viewing 4 posts - 1 through 4 (of 4 total)
You must be logged in to reply to this topic. Login to reply