Creating, Modifying, and Deleting Role Definitions

A role definition is a named collection of tasks that specify which tasks a user is allowed to perform in connection with a folder, report, or other item. Role definitions can contain either item-level or system-level tasks. You cannot combine tasks from both levels into a single role definition.

Reporting Services includes several predefined roles to accommodate various categories of users. You can create additional roles if the predefined roles are insufficient. You can modify or delete either the predefined roles or the custom roles you create, as long as you do not invalidate the last remaining role assignment for your report server.

Because the number of tasks that you can work with is relatively small, you typically do not need a large number of role definitions. Creating or modifying a role definition requires careful consideration. If you create too many roles, they become difficult to maintain and manage. If you modify an existing role, you may not know which role assignments use it or how users will be affected by the modification. Role-based security is central to the security model of Reporting Services and understanding its implications is important. For more information, see Role Definitions and Role Assignments.

Tools and Steps

You can use SQL Server Management Studio or Report Manager to create and manage role definitions. In Report Manager, use the Site Settings page to define item-level role definitions. In Management Studio, role definitions items in the folder hierarchy are created and modified through the Security node of a report server.

To view instructions about role definitions, see:

To view all of the role definitions created for your reporting environment, open the Item-Level Roles page or the System-Level Roles page in Report Manager, or open the Security node in Management Studio. These pages show you all of the existing role definitions. However, they do not indicate whether a role definition is used by a role assignment.

Creating a Role Definition

Creating a role definition consists of providing a name and choosing a set of tasks for the definition. To create a role definition, you must have permission to do so. The "Set security for individual items" task provides these permissions. By default, administrators and users who are assigned to the predefined Content Manager role can perform this task.

A role must have a unique name. To be valid, the role definition must contain at least one task. For more information, see Tasks and Permissions in Reporting Services.

To use a role definition, you choose it in a role assignment.

Modifying or Deleting a Role Definition

Because role definitions are available to any role assignment, modifying a role definition affects all role assignments that use it.

Use caution when deleting a role definition that is in use; there is no undo. Even if you re-create a previously deleted role definition with the same name and task list, any role assignments that used that role definition will not be associated with the re-created role definition.

You cannot delete the role definition that is selected for the My Reports feature as long as that feature is enabled. Before you can delete the role definition used for My Reports, you must first disable the feature or select a different role definition to use with it. For more information, see Managing My Reports.

You also cannot delete a role definition if it is part of the sole role assignment that provides security for a report server. A report server requires at least one item-level role assignment and one system-level role assignment. Any role definitions that are part of these role assignments cannot be deleted.

See Also

Concepts

Predefined Roles Overview
Role Definitions
Managing Permissions and Security for Reporting Services

Help and Information

Getting SQL Server 2005 Assistance