File Permissions in a Reporting Services Deployment
Reporting Services sets permissions on the files that it needs to access. In most cases, you should never have to set these permissions yourself. However, if you are troubleshooting an installation problem or permission denied error, you can use the information in this topic to rule out any permission issues.
During installation, Setup creates several Windows security groups to help secure the SQL Server program files and to make it easier to grant permissions to service accounts. For Reporting Services, there are two Windows security groups:
File permissions are granted to these security groups on folders in \Program Files\Microsoft SQL Server\MSSQL.n\Reporting Services. To view a list of the access control lists (ACLs) and permissions that are configured by Setup, see Setting Up Windows Service Accounts.
The Report Server Web service and Windows service must have a login to the SQL Server instance that hosts the report server database. Each service is also granted database permissions through the RSExecRole. This role also grants permissions on the stored procedures used to update and maintain the report server database. For more information, see Administering a Report Server Database.
The Report Server Web service is an ASP.NET application. As such, it requires access to the Temporary ASP.NET Files folder that is used by ASP.NET to store generated assemblies. Folder permissions for the ASP.NET service identity are set when you install ASP.NET. If the report server or any other ASP.NET application that runs an application that has NetworkService as the security identity cannot access this folder, you will see an error similar to the following:
The current identity (NT AUTHORITY\NETWORK SERVICE) does not have write access to 'C:\WINDOWS\Microsoft.NET\Framework\V2.0.050727\Temporary ASP.NET Files'.
To resolve this error, assign write access permissions to the NetworkService account.