Secure Operation (Reporting Services)
This topic provides guidelines on how to monitor report server access and maintain server security. As a report server administrator, you will want to consider:
Who is running reports, especially reports that have sensitive data.
How to update configuration settings when logins or accounts change.
How to revoke or change permissions when someone leaves your company or department.
How to revoke or change permissions for a report server administrator.
Auditing Report Access
The report execution log contains information about who is accessing reports. Although this information can be found in the report server database, it is strongly recommended that you create a separate database for the purpose of querying report server execution data. Reporting Services provides a sample Integration Services package that you can use to load and refresh the data that you want to analyze. For more information, see Querying and Reporting on Report Execution Log Data.
Updating Server Account Information
Reporting Services is a distributed server application. The report server and the report server databases can be on separate computers. Moreover, if the report server runs as a back-end server within a larger deployment of a SharePoint product or technology, you will have an additional connection to maintain between the SharePoint Web application and the report server.
The following list describes the accounts and logins you must maintain:
Report Server service.
Report server connection to the report server database.
Unattended report processing account.
Stored credentials for scheduled report or subscription processing.
Stored credentials in data-driven subscriptions.
For a report server that runs in SharePoint integrated mode, you must maintain the SharePoint database logins used by the report server to connect to the configuration and content databases. The database login is managed through SharePoint Central Administration. For instructions on how to set or update the logins, see How to: Configure Report Server Integration in SharePoint Central Administration.
You can use a built-in account for the Report Server service if you want to maintain fewer accounts. You can also configure the connection to the report server database to use the service account.
For all other accounts and logins, you must update shared data sources or custom data source settings whenever the account changes or a password expires. Using shared data sources can greatly reduce the overhead of this task. For more information, see Managing Report Data Sources.
Revoking or Changing Report Server Administrator or User Permissions
A report server administrator is a person who is a member of the local Administrators group on the report server computer. As such, this person has full permissions across the report server site and throughout the report server folder hierarchy, with the ability to grant server access to other users, add or remove items, modify properties of any item, change report server configuration settings, and so on. If you want to revoke permissions, you must remove the user account from the Administrators group.
It is not necessary to be a member of the local Administrators group to have far-reaching permissions on a report server. Specifically, if a user is assigned to the Content Manager role and System Administrator role on the report server, that user has permission to set role-based security and modify content or properties stored in the server. If you want to revoke this permission, you can delete or modify the role assignment. For more information, see How to: Modify or Delete a Role Assignment (Report Manager).
Revoking or Changing User Permissions
If an employee leaves the department or company, you can delete role assignments to prevent access to reports. If you created custom role assignments on specific folders or reports, be sure to check all of them.
Deleting a role assignment does not automatically delete subscriptions. To delete subscriptions, you must delete them from each report. There is no bulk edit feature for managing all of the subscriptions in a single place.
If the user is a recipient of a standard or data-driven subscription, removing role assignments will block the subscription for that user. However, you should always delete any subscription that is inactive.