How to: Set Permissions on Model Items (Reporting Services in SharePoint Integrated Mode)

You can set permissions on entities and perspectives in a report model (.smdl) to grant access to specific portions of the model. Setting permissions on specific items breaks permission inheritance from the parent model file. Breaking permission inheritance will require that you create and manage new permission policies for every group or user who requires access to items within a model.

To set model item security on a model that is stored in a SharePoint library, you use the Model Item Security page on a SharePoint site. This application page is available when you install the Reporting Services Add-in on Windows SharePoint Services. You must have Manage Permissions permission to grant access to items within a model. This permission is typically assigned to users who have Full Control level of permission. For more information about how to extend this permission to other users, see How to: Set Permissions for Report Server Items on a SharePoint Site (Reporting Services in SharePoint Integrated Mode).

Model item security provides read-only access. If you grant access to a user or group, that user or group can view the data for an entity or perspective. You cannot explicitly deny access, but the absence of permissions will produce the same result.

When setting permissions on model items, follow these guidelines:

  • For users who require broad access throughout the model (for example, to explore data or design reports in Report Builder), grant permissions on the root node of the model.

  • For users who require only limited access (for example, to view a report that contains data about the Contact entity), grant permissions on a specific entity or set of entities within the model hierarchy, but not on the root node itself.

  • You must have a permission assignment on the root node for at least one user. Granting permissions on the root node is a requirement.

If the model is regenerated, you must reset the permissions. Regenerating a model will erase all permission settings within the model. Be aware that any user who has a Contribute level of permission or Add Items permission can regenerate the model. The user will not be warned about the potential loss of security settings.

To secure individual model items

  1. On the site, select the library that contains the report model.

  2. Select the report model, click the down arrow, and click Manage Model Item Security. If you do not see this action, you do not have permission to set model item security.

  3. In the Model Item Security page, select Secure individual model items independently. This will break permission inheritance on the model.

  4. Select the root node of the model.

  5. In Assign permissions to the following users and groups, enter a user or an Active Directory Security group account for users who require total access to the model. You can enter multiple accounts by using a semi-colon to separate each one. You must specify at least one account for the root node in order to save this page.

  6. Select a specific entity or perspective in the model for those items to which you want to restrict access.

  7. Select Assign permissions to the following users and groups.

  8. Enter a user or an Active Directory Security group account for users who should be restricted to viewing just that entity or perspective.

  9. Click OK.

After you set model item security, users who have permission to load the model into Report Builder can create reports using the parts of the model to which they have access. Similarly, after the report is saved to a library, users can open the report and view data from the parts of the model to which they have access.

To view a report that uses a model item security, a user must have Open Items permission on a report and on any model that is used by the report. In most cases, users who have permission to access the SharePoint site will have this permission automatically. The Open Items permission is part of all predefined permission levels except Limited Access.