How to Set Permissions on a Report Using Command Shell in Operations Manager 2007
Applies To: Operations Manager 2007 R2
Use the procedures in this topic to restrict access to Operations ManagerĀ 2007 reports containing sensitive information.
First, using a Command Shell script, you create a new user role. An example of a Command Shell script that is used to create a new user role is shown at the end of this topic.
Second, you use the Get-UserRole command to set permissions on the report.
Warning
After you edit the security properties for a report, folder inheritance for every report in the folder is disabled. When folder inheritance is lost, you are required to manually set permissions for every report in the folder by using the Get-UserRole command.
For more information about the Operations Manager Command Shell, see the Operations ManagerĀ 2007 SDK at https://go.microsoft.com/fwlink/?LinkId=65912
To create a new user role
Copy the sample Command Shell script to your local hard drive and save the file with a .ps1 extension (for example ReportOperator.ps1).
Start the Operations Manager Command Shell.
Run the script, for example type C:\ReportOperator.ps1, and then press ENTER.
In the Operations console, click Administration.
In the Administration pane, expand Administration, expand Security, and then click User Roles.
In the User Roles pane, right-click new User Role that were previously created from the Command Shell script, and then click Properties.
In the User Role Properties dialog box, click the General page, and then click Add.
On the Select User or Groups page, enter the users or groups that you want to assign to the user role, and then click OK.
Important
Adding a machine account to user role member would allow all services on that computer to have SDK access. It is recommended that you do not add a machine account to any user role.
Click Apply, and then click OK.
Now you need to add the GUID for the new user role to SQL Server Reporting Services. Use the following steps:
In the User Roles view, double-click the new user role.
Click the Identity tab.
Click Copy to copy the GUID for the new user, and then click OK to close the Properties window.
Start the SQL Server Reporting Services Report Manager by navigating to https://localhost/Reports in a Web browser.
Click the Properties tab.
Click New Role Assignment.
Paste the GUID in the Group or user name field.
Select the roles you want to assign to the new Report Operator user role and click OK.
To set permissions on a report using command shell
Use the Get-UserRole command to find the particular user role that you want to use for the report.
Note
The command get-userrole | format-list Name,ID | ft displays an easy-to-read table that displays user role names and their associated GUID.
Copy the GUID to the clipboard.
Access the report by using your browser and connecting to the instance of SQL Server (http://<computername>/reports$instance1).
On the SQL Server Reporting Services home page, click the folder containing your report (for example, click Reports, and then click Microsoft.SystemCenter.DataWarehouse.Report.Library).
Click the Properties tab, and then in the navigation pane, click Security.
Click Edit Item Security.
Click the check box for the role Browser, My Reports, Report Builder, and replace the existing GUID with the GUID for the User Role you selected and copied onto the clipboard.
Example
The following is an example of the code you can use to create a user role for the Report Operator profile. The new user role in this example is named "Test Report Operator Role" but can be changed before running the script.
$mg = (get-item .).ManagementGroup
$reportOperator = $mg.GetMonitoringProfiles() | where {$_.Name -eq "ReportOperator"}
$obj = new-object Microsoft.EnterpriseManagement.Monitoring.Security.MonitoringUserRole
$obj.Name = "TestReportOperatorRole"
$obj.DisplayName = "Test Report Operator Role"
$obj.Description = "Test Report Operator Role"
$obj.MonitoringProfile = $reportOperator
$mg.InsertMonitoringUserRole($obj)