In Reporting Services, a role definition is a named collection of tasks that define the operations available on a report server. Role definitions provide the rules used by the report server to enforce security. When a user attempts to perform a task, such as publishing a report, the report server checks the user's role assignment to determine whether the task is included in their role definition. If the task is included in the role definition, the request is submitted.
Use roles to authorize access to a report server
A role becomes operative only when you use it in a role assignment. For more information about how roles provide security, see Role assignments.
Types of role definitions
Role definitions are either item-level or system-level definitions. An item-level role definition describes tasks that relate to items that are stored and managed on a report server, such as reports, folder, and models. Manage reports, View folders, and Manage individual subscriptions are examples of tasks you can include in an item-level role definition. A system role definition includes tasks that apply to the site as a whole. The view report server properties task is an example of a task you might include in a system role.
Predefined roles
Reporting Services includes predefined roles that correspond to different levels of user interaction. The following list contains the predefined roles you can use:
Content Manager, Publisher, Browser, Report Builder, and My Reports are item-level role definitions that you can use when creating role assignments for accessing report server content.
System Administrator and System User are system-level role definitions that you can use to authorize access to site operations.
You use Management Studio to specify a name and the tasks it contains to create a role. You must create separate role definitions for item and system tasks. Roles can include item-level tasks or system-level tasks, but not both. Creating a role definition consists of providing a name and choosing a set of tasks for the definition. To create a role definition, you must have permission to do so. The "Set security for individual items" task provides these permissions. By default, administrators and users who are assigned to the predefined Content Manager role can perform this task.
A role must have a unique name. To be valid, the role definition must contain at least one task. For more information, see Tasks and permissions.
Predefined roles can be modified or replaced with custom roles. To modify a role, you add to or remove tasks from the role definition. You can't rename a role. Any changes you make are applied immediately to all role assignments that include the role definition.
You can delete a role definition if you're no longer using it. You can't delete the role definition that is selected for the My Reports feature as long as that feature is enabled. Before you can delete the role definition used for My Reports, you must first disable the feature or select a different role definition to use with it.