Minimum Security and Access Permissions for Local Administrators
Although you can modify the default and custom role assignments, you cannot remove all role assignments, leaving the report server unsecured. At minimum, each report server must have one system role assignment that defines access at the system level, and one item-level role assignment that defines access to the folder hierarchy.
As a precaution against lockout, members of the local Administrators group can always access a report server to change site settings regardless of what role assignments are set. If you accidentally set role assignments in such a way that all users are locked out, a local administrator can always reset security.
All local administrators have read permission on all items stored in the report server database, plus read and write permissions on security settings (that is, they always have permission to add, delete, and modify the role assignments that are set at the system and item level). Local administrators are granted elevated permissions permanently. Adding, modifying, and deleting role assignments does not affect permissions that are granted to members of the local Administrators group.
Having access to a report server differs from having full access to all the reports and the data it contains. To ensure that users with elevated permissions (such as local administrators) cannot access confidential reports, you must secure the reports at the data-access level, requiring users to provide credentials to view the report. For more information, see Specifying Credential and Connection Information.
See Also
Tasks
How to: Create, Delete, or Modify a Role Assignment (Management Studio)
How to: Create, Delete, or Modify a System Role Assignment (Report Manager)
Concepts
Configuring Security Through Role Assignments
Securing Reporting Services
Managing Permissions and Security for Reporting Services