Set up security

Management Reporter uses several levels of security to help ensure that authorized users can perform certain tasks in Management Reporter, modify the building blocks that are used in reports, and view generated reports.

Many of these security features can be used together to ensure that users can view reports that they need and see only the information that is relevant to them.

Levels of security

Management Reporter has the following levels of security for reports:

• Company access

• User roles and groups

• Report library security

• Reporting tree security

• Example scenario

• Additional resources

Company access

The highest level of security is company-level security. Users with the role of administrator in Management Reporter can access information for all companies, but users who are assigned to other roles must be granted access to each company. Users who are assigned to the roles of designer and generator can design or generate reports only for the companies to which they have been granted access.

Note

Some Microsoft Dynamics ERPs automate the security settings for Management Reporter through the data mart integration. For more information about security settings, see the data integration guide for your Microsoft Dynamics ERP system.

For example, David has been assigned the role of generator in Management Reporter, and he needs to generate reports for the Contoso company. Phyllis, an administrator in Management Reporter, grants him access to Contoso data, so that David can generate reports using only the Contoso data. If Phyllis creates a report that contains Contoso data and data for another company, David can only generate the report for the Contoso company

An administrator can also grant company access to groups of users. For example, if David’s department requires access to Contoso, then Phyllis can create a user group for David’s department and grant access for that user group to the Contoso company.

For more information, see the “Manage access to a company” and “Reset password for company access” sections in Set up company information (data provider).

User roles and groups

The second highest level of security in Management Reporter is defined by user roles. Users in Management Reporter are assigned to one of four roles: administrator, designer, generator, or viewer. Some security permissions are limited to certain roles, but you can modify security permissions for individual users or assign users to a group. For more information about user roles and security permissions for users, see Set up and manage users and groups.

Only an administrator in Management Reporter can create new user accounts and assign user roles.

For example, Phyllis has the role of administrator in Management Reporter, and David and Michael are new users. Phyllis knows that David must have up-to-date information about his budget and sales performance, but he does not need to create or modify building blocks. She also knows that Michael can create the reports that David needs, and he can modify the build blocks of David’s reports. Therefore, Phyllis assigns David to the role of generator, and she assigns Michael to the role of designer, so that each user can complete his required tasks.

Note

Some Microsoft Dynamics ERPs automatically assign user roles in Management Reporter to users. For more information about ERPs and user roles in Management Reporter, see the data integration guide for your Microsoft Dynamics ERP system.

Report library security

All reports that are generated in Management Reporter are stored in the report library. Reports that are stored in the public folder of the report library can be viewed by all users, but reports that are stored in other folders are restricted to only the users who are granted access to those folders.

The structure of the report library can be customized to your needs. However, because all reports are generated to the report library, the library and its folders should be secured by specific users or user groups. For more information, see Set up and manage report library security.

For example, Phyllis is an administrator in Management Reporter, and she needs to generate a report for the Marketing department. She creates a folder in the report library named “Marketing”, and she grants access to the “Marketing” user group. Only members of the Marketing user group can view the reports in the Marketing folder.

You can also use report links to post links to generated reports on a SharePoint site or network location. The report links display the report in the report library, but do not require that you grant specific access to a report in the report library. For more information, see Generate a report.

For example, Phyllis is an administrator in Management Reporter, and she needs to generate a report for the Marketing department. She knows that the Marketing department uses a SharePoint site to share information between the department members, so she decides to use report links to share the marketing reports. She modifies the report definition for the Marketing report to generate a report link to the SharePoint site when the report is generated.

Reporting tree security

The lowest level of security is the reporting tree. The reporting tree lets you assign a specific user or user group to a specific unit of the tree, so that only the specified user or user group can view the reporting unit in any report that is generated by using the reporting tree.

For example, Phyllis wants to generate a report that contains information for David in Marketing and April in Finance. Instead of generating two separate reports, she uses the reporting tree to select the reporting units that only David should view, and to select the reporting units that only April should view. When the report is generated, David and April receive the same report, but they can view only the information to which they have been allowed access.

Note

To turn off reporting tree security, select the Disable unit security option in the report definition.

If a user has access to a specific level of a reporting tree on a generated report, but does not have access to the report library folder where the report is stored, the user can access the report library folder. However, the user can only view that report, and can only view the reporting units to which the user has been granted access.

For more information, see the following topics:

• Reporting tree definition

• Manage reporting units

• Create and manage report components

• Settings tab settings

Example scenario

The security features in Management Reporter are designed to be used together, to help ensure that users can access only the data that they need to complete their tasks. The following scenario demonstrates how to use multiple security features.

Phyllis is an administrator in Management Reporter, and she creates a user account for David. She knows that David works with Contoso company data, so she grants access for him to the Contoso company. Phyllis also knows that David does not want to build Contoso reports, or modify existing building blocks for repots, he only needs to generate reports for his department, so Phyllis assigns him to the role of generator in Management Reporter. Now, David can modify and generate reports using Contoso data only.

Phyllis knows that other users in the Marketing department are currently users in Management Reporter, so she creates a user group that is named Marketing, and adds David’s user account to the user group. Now, David inherits any security permissions that Phyllis has already granted for that user group.

To share the generated reports for all of the people in the Marketing department, Phyllis modifies the report definitions to generate a report link to a SharePoint site that the department already uses.

When a Contoso report is generated, Phyllis notices that certain information in the report should be restricted to David only. Instead of generating multiple reports for David and his department, Phyllis modifies the reporting tree of the Contoso report, and restricts the reporting unit to David’s user account only. Now, Phyllis can generate one report to the SharePoint site of the Marketing department, and only David can view the information in the restricted reporting unit.

Additional resources

For more information about how to use the security features in Management Reporter, see the following posts on the Dynamics Corporate Performance Management blog on MSDN:

• Management Reporter: Get More Out of Security - Using Groups

• Management Reporter – Get More Out of Security – Using Reporting Tree and Report Library Security

• Creating secure report links - Management Reporter 2012 Feature Highlight

• New security option for designers

See Also

Report Designer interface

Desktop Viewer

Accessibility features in Management Reporter