Lesson 3: Setting Permissions on Specific Items
New: 17 July 2006
You can create role assignments that grant permissions to specific items that are located in subfolders in the report server folder hierarchy. How you set security depends on whether you expect users to access the item through Report Manager or through a URL that resolves to that item.
- For URL access to a report, you can create a role assignment on that report. Users who click on the URL will view the report in a browser window. Because access is allowed only on the report and not on parent folders, the URL must include the fully-qualified folder path to the report. If the report uses a model as a data source, the model must also be specified on the URL and permissions to view the model must be specified in advance in order for the report to run. To learn more about URL access, see Using a URL to Access Report Server Items.
- For item access through Report Manager, where items appear within Report Manager Web pages, you should specify view-only permissions on each folder in the navigation path, as well as on the particular item. This allows users to open Report Manager and click through the folder structure to find the report. Without folder permissions, users will see an empty page with no ability to browse to the target report, model, shared data source, or resource.
In this lesson, you will learn how to create a new role definition that is used only for viewing a folder, and then use the role to specify view permissions on folders and on a sample report. The tutorial demonstrates how to set permissions so that a user can navigate to and view a report from Report Manager without being able to access the other items in the folder hierarchy.
As with the previous lessons in this tutorial, you will use SQL Server Management Studio to set permissions. You can use Report Manager to check your work.
To complete this lesson, you must have a domain user account for which you are granting permissions. The user account must have db_reader permissions on the AdventureWorks sample database. The user account must not be a member of a security group that already has permissions on the report server. Role assignments are cumulative; if a user already has wide-ranging permissions to view content on a report server, specifying more restrictive permissions will have no effect.
If you do not have a domain account to work with, create a local user account to use with this tutorial. At the end of the tutorial, you can log on as that user to verify that only the items you set permissions on are accessible to that user. If you do not know how to create a SQL Server login or local user account, review Lesson 1: Setting Up Permissions for this Tutorial. The lesson is part of a different tutorial, but you can use it to learn how to set up accounts.
To create a role definition for navigating folders
In Management Studio, connect to a report server, and then expand the report server folder.
Open the Security folder.
Right-click the Roles folder and select New Role. The New Role dialog box appears.
In Name, enter Folder Navigation.
In Task, select View Folders.
Click OK to close the dialog box.
To create role assignments for navigating folders
Right-click Home and select Properties.
Click the Add Group or User button.
Type the name of a domain user account that needs permission to navigate folders. Specify the account in this format: domain\user. The account should be in the same domain or in a trusted domain.
Click OK to close the Add Group or User dialog box.
On the permissions page, select the Folder Navigation task for the new user you just added.
Click OK to close the dialog box.
Because permissions are inherited, you do not need to repeat these steps on additional folders. The user will have view permissions on all folders in the report server hierarchy.
To create role assignments on the report
In Home, open the AdventureWorks Sample Reports folder.
Right-click Company Sales and select Properties.
Click Permissions.
Click Use these roles for each group or user account.
Click the Add Group or User button.
Type the name of a domain user account that needs permission to view the report.
Click OK to close the Add Group or User dialog box.
On the permissions page, select Browser role for the user account.
Click OK to close the dialog box.
Next Steps
You have successfully created an item-level role assignment on a specific report. The user has permission to open folders and view a single report. No other items are visible to the user. To check your work, ask the user to open Report Manager and access the report.
If you are using a local user account that you created for test purposes, you can right-click a Microsoft Internet Explorer shortcut, click Run as, select The following user, specify the test account, and then type the Report Manager URL. To learn how, see How to: Start Report Manager (Report Manager).
This lesson completes the tutorial on how to set permissions on a report server. To learn more about security, see Tutorial: Applying Security Filters to Report Model Items.
See Also
Tasks
Tutorial: Setting Permissions in Reporting Services
Other Resources
Finding and Viewing Reports with a Browser
Finding and Viewing Reports in Report Manager
Securing Reporting Services
Managing Permissions and Security for Reporting Services