Managing Permissions and Security for Reporting Services
SQL Server 2005 Reporting Services uses role-based authorization and Windows authentication to determine who can perform operations and access items on a report server. Role-based authorization categorizes into roles the set of actions that a user or group can perform.
All users interact with a report server within the context of a role. A user can be assigned to different kinds of roles for different items. For example, a user who is a member of the Content Manager role for one report may be a member of the Browser role for another report. Predefined roles are provided that group related tasks into logical units. Examples of some of the roles that are available include Content Manager, Publisher, and Browser. You can create new roles or modify the existing ones to customize the tasks that each role supports.
Role definitions are organized into two categories. Item-level roles describe operations that affect reports and other items that are accessed through the report server folder hierarchy. System-level roles describe operations that are outside the scope of the folder hierarchy. Examples of system-wide operations include creating and managing shared schedules or accessing Report Builder, which are operations that can be performed independently of any item. Item-level and system-level roles should be used together in role assignments to provide a complete set of permissions throughout the report server folder hierarchy, and across the report server.
The role assignments that you set are used for all subsequent access to the report server, regardless of the tool or approach used to access the server. Report server access through Report Manager, Management Studio, the authoring tools, URL access, and programmatic access through other applications is controlled through the role assignments that control access to a specific server.
Security settings are stored in the report server database. If you are configuring multiple report servers in a scale-out-deployment, the role assignments that you define on one instance are stored in a shared database and used by all the other instances in the same scale-out deployment.
To grant access to report server items and operations, follow these guidelines:
- Identify which users and groups require access to the report server, and at what level. Most users should be assigned to the Browser role or the Report Builder role. A smaller number of users should be assigned to the Publisher role. Very few users should have Content Manager permissions.
- On the Home folder (this is the top-level folder of the report server folder hierarchy), create item-level role assignments for each user or group using the predefined roles such as Browser, Publisher, and Content Manager.
- At the site level, create a system-level role assignment for each user and group using the predefined roles System User and System Administrator.
To learn how to define role assignments, see Tutorial: Setting Permissions in Reporting Services.
If you configured a report server to run in SharePoint integrated mode, you must set permissions on the SharePoint site to grant access to report server items. For more information, see Managing Permissions and Security for Report Server Items on a SharePoint Site.
Who Sets Permissions
Initially, only users who are members of the local administrators group can create role assignments or modify role definitions. Reporting Services is installed with two default role assignments that grant item-level and system-level access to members of the local administrators group.
A local administrator must create additional role assignments to make the report server available to other user and group accounts. A local administrator can create role assignments that allow other users to set and manage permissions. By default, users who are assigned to the Content Manager and System Administrator roles can manage permissions for other users.
To define roles and role assignments, use Report Manager or Management Studio. For instructions, see Tutorial: Setting Permissions in Reporting Services. For additional information about how to configure security, see Securing Reporting Services.
Authentication in Reporting Services
Through role-based security, Reporting Services provides an authorization model, but it does not include an authentication component. In order for authorization to work, the underlying network security must be able to authenticate the users and groups who access the report server.
Authentication is provided through security extensions that are part of a report server. The default security extension uses Windows authentication, but you can create a custom authentication extension if you want to support user logons through forms authentication or some other authentication solution.
The topics in this section assume you are using Windows Authentication to establish the identity of all users who access a report server. Reporting Services provides support for custom authentication models. However, you must create an authentication extension to support it. For more information, see Implementing a Security Extension.
On a report server, authentication through the default Windows security extension is performed by Internet Information Services (IIS). The user and group accounts that you specify in role assignments are created and managed through Active Directory. Only valid accounts can be specified. A report server verifies the validity of user and group accounts periodically. Role assignments that specify accounts that are no longer defined in Active Directory are removed. This action is logged as an information message in the application log file.
Reporting Services provides an extensible architecture that allows you to replace default security with a custom authentication extension. Custom authentication extensions are used to authenticate users to a report server. Subsequent connections to remote computers and external data sources use Windows authentication or SQL Server authentication if the data is stored in a SQL Server database. If you are using custom authentication, it will affect connections to external data sources, requiring that you use prompted or stored credentials to access data.
In This Section
- Role Assignments
Describes the role assignments that control how users or groups access specific items on a report server.
- Securable Items
Describes the report server items that are secured through role assignments.
- Role Definitions
Explains how tasks are rolled up into a set of role definitions. You use role definitions in role assignments to define the operations that a user can perform.
- Tasks and Permissions in Reporting Services
Describes all of the tasks that can be performed on report server.
- Minimum Security and Access Permissions for Local Administrators
Describes the minimum level of security that you must have and explains how system lockouts are prevented.
- Using Default Security
Describes the preset role assignments and role definitions that control access to a report server.
- Configuring Security Through Role Assignments
Explains how to configure security and provides best practices for customizing security.
Managing Permissions and Security for Report Server Items on a SharePoint Site
Security Overview for Reporting Services in SharePoint Integration Mode
Configuring Authentication for Reporting Services
Creating, Modifying, and Deleting Role Definitions
Creating, Modifying, and Deleting Role Assignments
Setting System-Level Security
Securing Reporting Services
Integrated Security and Elevated Permissions