Role Definitions

In Reporting Services, a role* *definition is a named collection of tasks that define the operations available on a report server. Role definitions provide the rules used by the report server to enforce security. When a user attempts to perform a task, such as publishing a report, the report server checks the user's role assignment to determine whether the task is included in their role definition. If the task is included in the role definition, the request is submitted.

Using Roles to Authorize Access to a Report Server

A role becomes operative only when it is used in a role assignment. For more information about how roles provide security, see Role Assignments.

Types of Role Definitions

Role definitions are either item-level or system-level definitions. An item-level role definition describes tasks that relate to items that are stored and managed on a report server, such as reports, folder, and models. Manage reports, View folders, and Manage individual subscriptions are examples of tasks you can include in an item-level role definitions. A system role definition includes tasks that apply to the site as a whole. View report server properties is an example of a task you might include in a system role.

Predefined Roles

Reporting Services includes predefined roles that correspond to different levels of user interaction. The following list contains the predefined roles you can use:

  • Content Manager, Publisher, Browser, Report Builder, and My Reports are item-level role definitions that you can use when creating role assignments for accessing report server content.

  • System Administrator and System User are system-level role definitions that you can use to authorize access to site operations.

For more information, see Predefined Roles.

Creating a Role Definition

To create a role, you use Management Studio to specify a name and tasks it contains. You must create separate role definition for item and system tasks. Roles can include item-level tasks or system-level tasks, but not both. Creating a role definition consists of providing a name and choosing a set of tasks for the definition. To create a role definition, you must have permission to do so. The "Set security for individual items" task provides these permissions. By default, administrators and users who are assigned to the predefined Content Manager role can perform this task.

A role must have a unique name. To be valid, the role definition must contain at least one task. For more information, see Tasks and Permissions.

To create a role definition, use SQL Server Management Studio. For more information, see Create, Delete, or Modify a Role (Management Studio).

After you create a role definition, you can use it by selecting it in a role assignment. For more information, see Grant User Access to a Report Server (Report Manager).

Customize or Delete a Role Definition

Predefined roles can be modified or replaced with custom roles. To modify a role, you add to or remove tasks from the role definition. You cannot rename a role. Any changes you make are applied immediately to all role assignments that include the role definition.

You can delete a role definition if you are no longer using it. You cannot delete the role definition that is selected for the My Reports feature as long as that feature is enabled. Before you can delete the role definition used for My Reports, you must first disable the feature or select a different role definition to use with it.

See Also

Tasks

Create, Delete, or Modify a Role (Management Studio)

Grant User Access to a Report Server (Report Manager)

Modify or Delete a Role Assignment (Report Manager)

Set Permissions for Report Server Items on a SharePoint Site (Reporting Services in SharePoint Integrated Mode)

Concepts

Tasks and Permissions

Granting Permissions on a Native Mode Report Server