Lesson 3: Setting Permissions on Specific Items
You can create role assignments that grant permissions to specific items that are located in subfolders in the report server folder hierarchy. How you set security depends on whether you expect users to browse for an item through Report Manager or access it directly through a URL that resolves to that item.
For URL access to a report, you can create a role assignment that sets permissions directly on that report. Users who click on the URL will view the report in a browser window. Because access is allowed only on the report and not on parent folders, the URL must include the fully qualified folder path to the report. If the report uses a model as a data source, the model must also be specified on the URL and permissions to view the model must be specified in advance in order for the report to run. To learn more about URL access, see Using a URL to Access Report Server Items.
For item access through Report Manager, where a user browses folders to find items of interest, you should specify view-only permissions on each folder in the navigation path, as well as on the particular item. This allows users to open Report Manager and click through folders to find the report. Without folder permissions, users will see an empty page with no ability to browse to the target report, model, shared data source, or resource.
In this lesson, you will learn how to create a new role definition that is used only for viewing a folder, and then use the role to specify view permissions on folders and on a sample report. Creating and managing a role definition is done in Management Studio so to complete this lesson, you will need to use that tool in addition to Report Manager.
To verify the results of this lesson, you should have a domain user or group account for which you are granting permissions. The account must have db_reader permissions on the AdventureWorks sample database. The account must not be a member of a security group that already has permissions on the report server. Role assignments are cumulative; if a user already has wide-ranging permissions to view content on a report server, specifying more restrictive permissions will have no effect.
If you do not have a domain account to work with, create a local user account to use with this tutorial. At the end of the tutorial, you can log on as that user to verify that only the items you set permissions on are accessible to that user. If you do not know how to create a SQL Server login or local user account, review Lesson 1: Setting Up Permissions for this Tutorial. The lesson is part of a different tutorial, but you can use it to learn how to set up accounts.
To create a role definition for navigating folders
In SQL Server Management Studio, connect to a report server, and then expand the report server node.
Open Security folder.
Right-click Roles and select New Role. The New Role dialog box appears.
In Name, enter Folder Navigation.
In Task, select View Folders.
To create role assignments for navigating folders
Open a browser window and type the Report Manager URL to start the application.
Click Home at the top of the page to open the Report Manager home page.
Click the Properties tab.
Click New Role Assignment.
In Group or user name, specify the name of a domain user or group account that needs permission to navigate folders. Specify the account in this format: domain\user. The account should be in the same domain or in a trusted domain.
Select Folder Navigation.
Because permissions are inherited, you do not need to repeat these steps on additional folders. The user will have view permissions on all folders in the report server hierarchy.
To create role assignments on the report
In Home, open the AdventureWorks Sample Reports folder.
Select Company Sales and click the Properties tab.
Click New Role Assignment.
In Group or user name, specify a domain user account that needs permission to view the report.
You have successfully created an item-level role assignment on a specific report. The user has permission to open folders and view a single report. No other items are visible to the user. To check your work, ask the user to open Report Manager and access the report.
If you are using a local user account that you created for test purposes, you can right-click a Microsoft Internet Explorer shortcut, click Run as, select The following user, specify the test account, and then type the Report Manager URL.
This lesson completes the tutorial on how to set permissions on a report server. To learn more about security, see Tutorial: Applying Security Filters to Report Model Items.