Creating, Modifying, and Deleting Role Assignments
A role assignment is a security policy that determines whether a user or group can access a specific item and perform an operation. A role assignment consists of a user or group account name and one or more role definitions. A role assignment is always created in the context of a specific item or branch in the report server folder hierarchy. You navigate to a specific folder or item to create a role assignment for it. If you are creating a system-level role assignment, you navigate to the Site Settings page instead.
Reporting Services includes two predefined role assignments, which provide default security for local administrators. You can modify the assignments, and you must add new assignments to make a report server accessible to report users.
This topic explains how to set security for individual items in the report server folder hierarchy. For more information about setting security at the system level, see Setting System-Level Security.
Tools and Steps
Use Report Manager or SQL Server Management Studio to access the item you want to secure. To view instructions about role assignments, see:
- How to: Create, Delete, or Modify a Role Assignment (Management Studio)
- How to: Create, Delete, or Modify a System Role Assignment (Report Manager)
Creating a Role Assignment
To create a role assignment, open the property pages of the item that you want to secure. To enable widespread access, you should choose an item that is high in the folder hierarchy (for example, the root node Home). You can then create subsequent role assignments to lock down specific areas of the folder hierarchy.
Creating a role assignment includes specifying a domain user or group account. If the account is on a domain other than the one that contains the report server, include the domain name. You must create a separate role assignment for each user or group account.
After you specify an account, you can choose one or more role definitions. The role definitions are additive. The combined set of all tasks from all definitions are supported in the assignment for a particular user or group.
Modifying a Role Assignment
You can modify a role assignment at any time. Your changes take effect when you save the role assignment. User sessions are not affected by role assignment changes. If a user has a report open, and you modify a role assignment to deny access, the user can continue using the report as long as the session is active.
If you add a user account to a group that is already part of a role assignment, there will be a delay before the user account is able to access items through the group account policies. This delay is caused by Internet Information Services (IIS) caching of authentication tokens. You can either wait for the tokens to refresh (typically, the wait period is fifteen minutes) or you can reset IIS to update the cache immediately.
You can only modify one role assignment at a time. You cannot perform a global search-and-replace operation to change role definition names or role assignment settings, or to find all the role assignments that include a specific user or group.
Deleting a Role Assignment
You can delete role assignments by selecting the checkbox by each assignment you want to delete, and then clicking Delete. You can also delete role assignments by clicking Revert to Parent Security. When you click this button, the existing role assignments for the item are deleted, and those that are provided through a parent item are used instead.