角色分配Role Assignments

Reporting ServicesReporting Services中,“角色分配” ** 确定对报表服务器上的存储项和报表服务器自身的访问权限。In Reporting ServicesReporting Services, role assignments determine access to stored items and to the report server itself. 角色分配由以下几部分组成:A role assignment has the following parts:

  • 要控制其访问权限的安全对象。A securable item for which you want to control access. 安全对象的示例包括文件夹、报表和资源。Examples of securable items include folders, reports, and resources.

  • 可由 Windows 安全性或其他身份验证机制进行身份验证的用户帐户或组帐户。A user or group account that can be authenticated by Windows security or another authentication mechanism.

  • 角色定义定义一组允许的任务,包括:Role definitions define a set of permissible tasks and include:

    • 浏览器Browser
    • 内容管理员Content Manager
    • 我的报表My Reports
    • 发布者Publisher
    • 报表生成器Report Builder
    • 系统管理员System Administrator
    • 系统用户System User

角色分配在文件夹层次结构中继承,并通过包含以下内容自动继承:Role assignments are inherited within the folder hierarchy and are automatically inherited by contained:

  • 报表Reports
  • 共享数据源Shared data sources
  • 资源Resources
  • 子文件夹Subfolders

您可以通过为各项分别定义角色分配来覆盖继承的安全性。You can override inherited security by defining role assignments for individual items. 文件夹层次结构的所有部分都必须至少由一个角色分配进行保护。All parts of the folder hierarchy must be secured by at least one role assignment. 不能创建不安全的项,而且在处理设置时应采用安全的方式,以避免创建不安全的项。You can't create an unsecured item or manipulate settings in a way that produces an unsecured item.

下图显示了一个角色分配,它将一个组和一个特定用户映射到文件夹 B 的“发布者” **** 角色:The following diagram illustrates a role assignment that maps a group and a specific user to the Publisher role for Folder B.

角色分配关系图Role assignments diagram
角色分配关系图Role assignments diagram

系统级和项级角色分配System-Level and Item-Level Role Assignments

Reporting ServicesReporting Services 中基于角色的安全性归为以下级别:Role-based security in Reporting ServicesReporting Services is organized into the following levels:

  • 项级角色分配控制对报表服务器文件夹层次结构中项目的访问,如:Item-level role assignments control access to items in the report server folder hierarchy such as:

    • 报表reports
    • 文件夹folders
    • 报表模型report models
    • 共享数据源shared data sources
    • 其他资源other resources
  • 对特定项或主文件夹创建角色分配时,定义的就是项级角色分配。Item-level role assignments are defined when create a role assignment on a specific item, or on the Home folder.

  • 系统角色分配授权整个服务器范围内的操作。System role assignments authorize operations that are scoped to the server as a whole. 例如,管理作业的功能是一个系统级操作。For example, the ability to manage jobs is a system level operation. 系统角色分配与系统管理员并不相同。A system role assignment isn't the equivalent of a system administrator. 它不能授予可分配对报表服务器的完全控制权限的高级权限。It doesn't confer advanced permissions that grant full control of a report server.

系统角色分配并不授予对文件夹层次结构中的项的访问权限。A system role assignment doesn't authorize access to items in the folder hierarchy. 系统安全性和项安全性是互斥的。System and item security are mutually exclusive. 有时,可能需要同时创建系统级和项级角色分配,才可为用户或组提供充分访问权限。Sometimes, you might need to create both a system-level and item-level role assignment to provide sufficient access for a user or group.

角色分配中的用户和组Users and Groups in Role Assignments

您在角色分配中指定的用户帐户或组帐户都是域帐户。The users or group accounts that you specify in role assignments are domain accounts. 报表服务器可以引用 MicrosoftMicrosoft Windows 域(如果使用的是自定义安全扩展插件,则可以是其他安全模式)中的用户和组,但不能创建或管理其中的用户和组。The report server references, but doesn't create or manage, users and groups from a MicrosoftMicrosoft Windows domain (or another security model if you're using a custom security extension).

在应用于任何给定项的所有角色分配中,任意两个角色分配所指定的用户或组都不得相同。Of all the role assignments that apply to any given item, no two can specify the same user or group. 如果某个用户帐户也是组帐户的成员,而您为该用户和组都指定了角色分配,那么,该用户将可以使用这两个角色分配的任务。If a user account is also a member of a group account, and you have role assignments for both, the combined set of tasks for both role assignments are available to the user.

将用户添加到已有角色分配的组时,必须重置 Internet Information Services (IIS),新的角色分配才会生效。When you add a user to a group that already has a role assignment, you must reset Internet Information Services (IIS) for the new role assignment to take effect.

预定义角色分配Predefined Role Assignments

默认情况下,将实现预定义角色分配,以允许本地管理员管理报表服务器。By default, predefined role assignments are implemented that allow local administrators to manage the report server. 可以添加其他角色分配,以便向其他用户授予访问权限。You can add additional role assignments to grant access to other users.

有关提供默认安全性的预定义角色分配的详细信息,请参阅 预定义角色For more information about the predefined role assignments that provide default security, see Predefined Roles.

另请参阅See Also

创建、删除或修改角色 (Management Studio)Create, Delete, or Modify a Role (Management Studio)

修改或删除角色分配(SSRS Web 门户)Modify or Delete a Role Assignment ( SSRS web portal )

在 SharePoint 站点上为报表服务器项设置权限(SharePoint 集成模式下的 Reporting Services)Set Permissions for Report Server Items on a SharePoint Site (Reporting Services in SharePoint Integrated Mode)

授予对本机模式报表服务器的权限Granting Permissions on a Native Mode Report Server