How to: Grant User Access to a Report Server (Report Manager)

Reporting Services uses role-based security to grant user access to a report server. On a new report server installation, only users who are members of the local Administrators group have permissions to report server content and operations. To make the report server available to other users, you must create role assignments that map  user or group accounts to a predefined role that specifies a collection of tasks.

For a report server that is configured for native mode, use Report Manager to assign users to a role. There are two types of roles:

  • Item-level roles are used to view, add, and manage report server content, subscriptions, report processing, and report history. Item-level role assignments are defined on the root node (the Home folder) or on specific folders or items farther down the hierarchy.

  • System-level roles grant access to site-wide operations that are not bound to any specific item. Examples include using Report Builder and using shared schedules.

    The two types of roles complement each other and should be used together. For this reason, adding a user to a report server is a two-part operation. If you assign a user to an item-level role, you should also assign them to a system-level role. When assigning a user to a role, you must select a role that is already defined. To create, modify, or delete roles, use SQL Server Management Studio. For more information, see How to: Create, Delete, or Modify a Role (Management Studio).

For a report server that is configured for SharePoint integrated mode, you configure access from a SharePoint site using SharePoint permissions. Permission levels on the SharePoint site determine access to report server content and operations. You must be a site administrator to grant permissions on a SharePoint site. For more information, see Granting Permissions on Report Server Items on a SharePoint Site.

Before you start

Review the following list before adding users to a native mode report server.

  • You must be a member of the local Administrators group on the report server computer. If you are deploying Reporting Services on Windows Vista or Windows Server 2008, additional configuration is required before you can administer a report server locally. For more information, see How to: Configure a Report Server for Local Administration on Windows Vista and Windows Server 2008.

  • To delegate this task to other users, create role assignments that map user accounts to Content Manager and System Administrator roles. Users who have Content Manager and System Administrator permissions can add users to a report server.

  • In SQL Server Management Studio, view the predefined roles for System Roles and User Roles so that you are familiar with the kinds of tasks in each role. Task descriptions are not visible in Report Manager, so you will want to be familiar with the roles before you begin adding users.

  • Optionally, customize the roles or define additional roles to include the collection of tasks that you require. For example, if you plan to use custom security settings for individual items, you might want to create a new role definition that grants view-access to folders. For more information, see Tutorial: Setting Permissions in Reporting Services.

To add a user or group to a system role

  1. Start Report Manager.

  2. Click Site Settings.

  3. Click Security.

  4. Click New Role Assignment.

  5. In Group or user, enter a Windows domain user or group account in this format: <domain>\<account>. If you are using forms authentication or custom security, specify the user or group account in the format that is correct for your deployment.

  6. Select a system role, and then click Apply.

    Roles are cumulative, so if you select both System Administrator and System User, a user or group will be able to perform the tasks in both roles.

  7. Repeat to create assignments for additional users or groups.

To add a user or group to an item role

  1. Start Report Manager or click Home to go to the Report Manager start page.

  2. Click the Properties tab.

  3. Click the Security tab.

  4. Click New Role Assignment.

  5. In Group or user, enter a Windows domain user or group account in this format: <domain>\<account>. If you are using forms authentication or custom security, specify the user or group account in the format that is correct for your deployment.

  6. Select one or more role definitions that describe how the user or group should access the item, and then click OK.

  7. Repeat to create assignments for additional users or groups.