FIM 2010 R2 Reporting Permissions

  • Article

FIM 2010 R2 Reporting Permissions

By default, FIM Reporting grants Data Warehouse administration rights to the default FIM administrator account and the default FIM service account. In certain cases, a user may wish to configure FIM reporting to grant additional users the ability to administer the Data Warehouse, or to run the default FIM reports. In this document, we will cover how to set up FIM Reporting permissions for more advanced scenarios, including:

  • Adding the user as an Administrator on the SCSM Management Server

  • Adding the user as an Administrator on the Data Warehouse Server

  • Allowing a user to execute one or more reports without being a Data Warehouse Admin

Adding the user as an Administrator on the SCSM Management Server

In this scenario, the default FIM administrator account has been granted administration rights on the System Center Data Warehouse and Management Server, however, you wish to grant an additional user rights to manage your System Center deployment. To add a user, as an Administrator, to the SCSM Management Server use the following procedure:

To Add a user as an Administrator on the SCSM Management Server

  1. Open the System Center Service Manager Console application.

    scsm console

  2. Navigate to the Administration section of the wunderbar on the bottom left hand side of the console. Once there, select the Security and then User Roles subsection.

    Administrators user role

  3. Choose the Administrators user role and select the properties button on the right-hand side of the screen. This will open up the Edit User Role dialog box.

    Edit user role

  4. Select the Users subsection. Note that the current administrator CORP\Administrator is already a member of this group and the FIM Service account is also a member.

    Add user

  5. Click the Add button, type in your user, select Check Name to validate the user, then click Ok. On the Edit User Role dialog box click Ok.

    Edit user role 2

  6. Once you have added this new user, you may validate that he or she has administration rights on the SCSM console by attempting to log in to your SCSM Management Server as that user. You may do this by logging in as that different user, and clicking the Tools, the select Connect… menu item to connect to a new SCSM Management Server.

    Connect SCSM

Adding the user as an Administrator on the Data Warehouse Server

In this scenario, the default FIM administrator account has been granted administration rights on the System Center Data Warehouse and Management Server, however, you wish to grant an additional user rights to manage your System Center deployment. To add a user, as an Administrator, to the Data Warehouse Server use the following procedure:

To Add a user as an Administrator on the Data Warehouse Server

  1. Open the System Center Service Manager Console application.

  2. Navigate to the Data Warehouse section of the wunderbar on the bottom left hand side of the console. Once there, select the Security and then User Roles subsection.

  3. Choose the Administrators user role and select the properties button on the right-hand side of the screen. This will open up the Edit User Role dialog box.

  4. Select the Users subsection. Note that the current administrator CORP\Administrator is already a member of this group.

  5. Click the Add button, type in your user, select Check Name to validate the user, then click Ok. On the Edit User Role dialog box click Ok.

  6. Once you have added this new user, you may validate that he or she has administration rights on the SCSM console by attempting to log in to your SCSM Management Server as that user. You may do this by logging in as that different user, and clicking the Tools, the select Connect… menu item to connect to a new SCSM Management Server. If your new user has been properly added to the Data Warehouse Administrators group, he or she will be able to see the Data Warehouse wunderbar item.

Allowing a user to execute one or more reports without being a Data Warehouse Administrator

In this scenario, you have already granted the default FIM administrator account administration rights on the System Center Data Warehouse and Management Server, but wish to grant an additional user rights to view and execute one or more FIM Reports, without having to add that user as a System Center Service Manager Data Warehouse administrator. To add a user to the ReportUsers group use the following procedure:

To Add the User to the “Report Users” Group in the SCSM Data Warehouse

  1. Open the System Center Service Manager Console application.

  2. Navigate to the Data Warehouse section of the wunderbar on the bottom left hand side of the console. Once there, select the Security and then User Roles subsection.

    Report Users

  3. Choose the Report Users user role and select the properties button on the right-hand side of the screen. This will open up the Edit User Role dialog box.

    Note

    Notice in the description of this group, you are directed to add any users who you wish to access these reports to SSRS, as well. This will be done in the next procedure.

    Report Users 2

  4. Select the Users subsection. Note that the NT AUTHORITY\Authenticated Users is already a member of this group.

  5. Click the Add button, type in your user, select Check Name to validate the user, then click Ok. On the Edit User Role dialog box click Ok.

Add the User as a Report Browser in SSRS

Now that the user has been granted permissions to use reports in the SCSM console, the last step we must take is to grant this user the proper permissions to view reports through SSRS. Without doing this, a user will not have the correct permissions required to execute reports either through the SCSM console or through the SSRS web interface.To add a user as a Report Browser in SSRS use the following procedure:

To Add the User as a Report Browser in SSRS

  1. On the Data Warehouse server, open Internet Explorer and navigate to the System Center Data Warehouse SSRS server (https://<datawarehouseserver>/Reports) and then browse to the SystemCenter folder.

    SSPR 1

  2. Select the SystemCenter folder and in the dropdown which appears, choose Security.

    SSPR 2

  3. Click the New Role Assignment button above the list of users. Notice that the FIM Administrator already has access to any reports in this and any subfolders.

    SSPR 3

  4. Enter the name of the user or group to which you wish to grant permissions, and check the box next to Browser role. If you wish to allow the user to add or remove reports, or otherwise modify what is present in SSRS, add it as a Content Manager.

    SSPR 4

  5. Click OK. Now your user has access to FIM Reports in both the SCSM console and the SSRS web browser interface.

    SSPR 5

    Warning

    if you wish to add a user to a specific report, you can do so by browsing to the SystemCenter -> ServiceManager -> Forefront.IdentityManager.Reporting folder, and granting him or her permissions to one or more report object directly.