Updating Role-Based Security for Report Builder Access
New: 14 April 2006
SQL Server 2005 provides new tasks that allow users to create models and use Report Builder. If you are upgrading an existing installation, Setup will not modify existing role definitions to include the new tasks that grant access to these features. After you upgrade your installation, you must manually update existing role definitions and role assignments to include the new tasks. The following tasks are new in SQL Server 2005 Reporting Services:
| Name | Type | Description |
|---|---|---|
View models |
Item-level task |
Allows a user to view models in the folder hierarchy, use models as data sources for a report, and run queries against the model to retrieve data. This task is necessary for viewing ad hoc reports that are auto-generated by the report server and for using Report Builder. |
Manage models |
Item-level task |
Allows a user to create, view, and delete models, and view and modify model properties. Users who can perform this task also have permission to assign model item security and map predefined static reports to parts of a model. |
Consume reports |
Item-level task |
Allows a user to load a published report from the report server into a local Report Builder instance. Users who can perform this task can open and edit published, model-based reports. |
Execute report definitions |
System-level task |
Allows a user to process a report definition that is not currently stored on the report server. In the tools that are included with Reporting Services, this task is used to access Report Builder. Users who can perform this task can click the Report Builder button in Report Manager to launch Report Builder. When used programmatically, this task can support a broader implementation. Users who can perform this task have permission to process an unpublished report definition (.rdl) file. |
Browse model |
Model item task |
Allows a user to view a portion of a model. You can use this task to specify which parts of the model are visible to a user or group. |
New installations of SQL Server 2005 Reporting Services include a new role definition named Report Builder. This role defines a collection of tasks necessary for using Report Builder. The Report Builder role is not created for you when you upgrade an existing installation. However, you can create the role definition manually if you want to have the complete set of role definitions that are available in a new Reporting Services installation.
How to Update Existing Item-Level Role Definitions
If you are using the predefined role definitions, you can edit them to include the new tasks. Adding new tasks to existing role definitions is the easiest way to grant current users permission to view and manage Report Builder reports and models. When you add a new task to an existing role definition, all role assignments that include that role definition will get the new tasks automatically.
- Find the role definitions that are defined on the report server. In Management Studio, the role definitions are located under the Security node in the Roles folder. In Report Manager, open the Site Settings page and click Configure item-level role definitions.
- Expand the Browser role definition. Add the "View models" task to the role, and then click OK.
- Expand the Content Manager role definition. Add "Manage models", "View models", and "Consume reports" to grant full permission over models, and the ability to create and modify reports in Report Builder. Click OK.
- Expand the Publisher role definition. Add "Manage models" to grant permission to create, view, and delete models on the report server. Click OK.
How to Update Existing System-Level Role Definitions
To make Report Builder available to users, you must add tasks to the system-level roles.
- In Management Studio, expand the System Roles folder. In Report Manager, open the Site Settings page and click Configure system-level role definitions.
- Expand the System Administrator role definition. Add the "Execute report definitions" task. Click OK.
- Expand the System User role definition. Add the "Execute report definitions" task. Click OK.
Creating a New Report Builder Role Definition
New installations of SQL Server 2005 Reporting Services include a new role definition that organizes the set of tasks used for working with Report Builder into a single collection of tasks. If you are upgrading an existing installation, you must create this role definition manually. Creating a separate role definition ensures that Report Builder users have only those tasks that are necessary for creating ad hoc reports.
- Create a new role definition using either Management Studio or Report Manager. For more information, see How to: Create, Delete, or Modify a Role (Report Manager) or How to: Create, Delete, or Modify a Role (Management Studio).
- Name the role Report Builder.
- Add the following tasks: Consume reports, View reports, View models, View resources, View folders, and Manage individual subscriptions.
- Save the role definition.
Tips for Using the New Report Builder Role Definition
If you modified existing role definition using the instructions provided earlier in this topic, only users who are mapped to the Content Manager role have sufficient permission to use Report Builder to create and save reports. To make Report Builder functionality available to more users, you must create or modify role assignments that map a group or user account to the Report Builder role that you just created.
- If possible, create a domain group account that includes all of users who need access to Report Builder. If you have a group account, you can create one role assignment for all users.
- If you cannot create a group account, you can create role assignments that map a specific user account to the role definition. If you already have an existing role definition for a specific user, you can modify it to include the new role definition. For more information, see Creating, Modifying, and Deleting Role Assignments.
- You can write a script that creates role assignments and run it on the report server. For more information, see Script Samples (Reporting Services).
See Also
Other Resources
Browser Role
Content Manager Role
Publisher Role
System Administrator Role
System User Role
Report Builder Role
Role Assignments for Report Builder Access
Securing Models