設定報表產生器的存取Configure Report Builder Access

報表產生器是一個隨選報表工具,它會與設定原生模式或 SharePoint 整合模式的 [SQL Server]SQL Server Reporting ServicesReporting Services 報表伺服器一起安裝。Report Builder is an ad hoc reporting tool that installs with a [SQL Server]SQL Server Reporting ServicesReporting Services report server configured for either native mode or SharePoint integration mode.

報表產生器的存取權會因下列因素而異:Access to Report Builder depends on the following factors:

  • 決定是否可以在報表伺服器上使用報表產生器的伺服器屬性。Server properties that determine whether Report Builder is available on the report server.

  • 可將報表產生器提供給個別使用者或群組使用的角色指派或權限。Role assignments or permissions that make Report Builder available to individual users or groups.

  • 驗證設定,可判斷使用者認證是否可以傳遞給報表伺服器,或是在應用程式檔案上設定匿名存取。Authentication settings that determine whether user credentials can be passed through to the report server or anonymous access is configured on application files.

若要使用報表產生器,您必須具有要使用的已發行報表模型。To use Report Builder, you must have a published report model to work with.

先決條件Prerequisites

並非每個 MicrosoftMicrosoft[SQL Server]SQL Server版本中都可使用報表產生器。Report Builder is not available in every edition of MicrosoftMicrosoft[SQL Server]SQL Server. 如需的版本所支援的功能清單[SQL Server]SQL Server,請參閱 < 支援的 SQL Server 2014 的版本功能For a list of features that are supported by the editions of [SQL Server]SQL Server, see Features Supported by the Editions of SQL Server 2014.

用戶端電腦必須已經安裝 MicrosoftMicrosoft .NET Framework.NET Framework 2.0。The client computer must have the MicrosoftMicrosoft .NET Framework.NET Framework 2.0 installed. .NET Framework.NET Framework 提供了執行 ClickOnceClickOnce 應用程式的基礎結構。The .NET Framework.NET Framework provides the infrastructure for running ClickOnceClickOnce applications.

您必須使用 MicrosoftMicrosoft Internet Explorer 6.0 或更新版本。You must use MicrosoftMicrosoft Internet Explorer 6.0 or later.

報表產生器一定會在完全信任模式中執行;您不能設定它在部分信任模式中執行。Report Builder always runs in full trust; you cannot configure it to run in partial trust. 在舊版中,報表產生器可以在部分信任模式中執行,但是在 SQL Server 2008SQL Server 2008 和更新版本中則不支援這個選項。In previous releases, it was possible to run Report Builder in partial trust, but that option is not supported in SQL Server 2008SQL Server 2008 and later versions.

啟用及停用報表產生器Enabling and Disabling Report Builder

預設會啟用報表產生器。Report Builder is enabled by default. 報表伺服器管理員可以選擇將報表伺服器系統屬性 EnableReportDesignClientDownload 設定為 false,以停用報表產生器功能,Report server administrators have the option of disabling the Report Builder feature by setting the report server system property EnableReportDesignClientDownload to false. 設定這個屬性將會停用該報表伺服器的報表產生器下載功能。Setting this property will disable Report Builder downloads for that report server.

若要設定報表伺服器系統屬性,您可以使用 Management Studio 或指令碼:To set report server system properties, you can use Management Studio or script:

原生模式報表伺服器上授與報表產生器存取的角色指派Role Assignments Granting Report Builder Access on a Native Mode Report Server

在原生模式報表伺服器上,建立使用者角色指派來包含使用報表產生器的工作。On a native mode report server, create user role assignments that include tasks for using Report Builder. 您必須是內容管理員和系統管理員,才能建立或修改項目和網站層級的角色定義與角色指派。You must be a Content Manager and System Administrator to create or modify role definitions and role assignments on items and at the site level.

下列指示假設您使用預先定義的角色。The following instructions assume that you are using predefined roles. 如果您已修改角色定義或是從 SQL Server 2000 升級,請檢查這些角色,以確認它們有包含所需的工作。If you modified the role definitions or if you upgraded from SQL Server 2000, check the roles to verify they contain the necessary tasks. 如需建立角色指派的詳細資訊,請參閱將報表伺服器的存取權授與使用者 (報表管理員)For more information about creating role assignments, see Grant User Access to a Report Server (Report Manager).

在建立角色指派之後,使用者將有權執行以下作業:After you create the role assignments, users will have permission to do the following:

  • 指派給「系統使用者」和「瀏覽者」角色的使用者可以檢視報表伺服器上的已發行報表產生器報表,而不需啟動報表產生器。Users assigned to the System User and Browser roles can view published Report Builder reports on a report server, without having to launch Report Builder.

  • 指派給「系統使用者」和「報表產生器」角色的使用者可以產生模型、啟動報表產生器及建立報表,並將報表儲存到報表伺服器。Users assigned to the System User and Report Builder roles can generate models, start Report Builder and create reports, and save reports to the report server.

  • 指派給「系統使用者」和「發行者」角色的使用者可以從模型設計師將模型發行到報表伺服器。Users assigned to the System User and Publisher roles can publish models from Model Designer to the report server. 模型會在報表產生器中當做資料來源使用。Models are used as data sources in Report Builder.

  • 指派給「系統管理員」和「內容管理員」角色的使用者具有建立、檢視及管理報表產生器報表的完整權限。Users assigned to the System Administrator and Content Manager roles have full permissions to create, view, and manage Report Builder reports.

確認必要工作位於角色定義中To verify required tasks are in the role definitions

  1. 啟動 Management Studio,然後連接到報表伺服器。Start Management Studio and connect to the report server.

  2. 開啟 [安全性] 資料夾。Open the Security folder.

  3. 開啟 [系統角色] 資料夾。Open the System Roles folder.

  4. 以滑鼠右鍵按一下 [系統管理員] ,然後選取 [屬性] 。Right-click System Administrator, and select Properties.

  5. 選取 [執行報表定義] ,然後按一下 [確定] 。Select Execute report definitions and click OK.

  6. 以滑鼠右鍵按一下 [系統使用者] ,然後選取 [屬性] 。Right-click System User, and select Properties.

  7. 選取 [執行報表定義] ,然後按一下 [確定] 。Select Execute report definitions and click OK.

  8. 開啟 [角色] 資料夾。Open the Roles folder.

  9. 以滑鼠右鍵按一下 [瀏覽器] ,然後選取 [屬性] 。Right-click Browser, and select Properties.

  10. 選取 [檢視模型] ,然後按一下 [確定] 。Select View models and click OK.

  11. 以滑鼠右鍵按一下 [內容管理員] ,然後選取 [屬性] 。Right-click Content Manager, and select Properties.

  12. 選取 [檢視模型] 、[管理模型] 、[取用報表] ,然後按一下 [確定] 。Select View models, Manage models, Consume reports, and click OK.

  13. 以滑鼠右鍵按一下 [發行者] ,然後選取 [屬性] 。Right-click Publisher, and select Properties.

  14. 選取 [管理模型] ,然後按一下 [確定] 。Select Manage models and click OK.

  15. 如果報表產生器角色不存在,請建立該角色:Create the Report Builder role if it does not exist:

    1. 開啟 [安全性] 資料夾。Open the Security folder.

    2. 以滑鼠右鍵按一下 [角色] ,並選取 [新增角色] 。Right-click Roles, and select New Role.

    3. 在 [名稱] 中,輸入 報表產生器In Name, type Report Builder.

    4. 在 [描述] 中,輸入角色的描述,好讓報表管理員中的使用者知道這個角色的目的。In Description, enter a description for the role so that users in Report Manager know what the role is for.

    5. 新增下列工作:取用報表檢視的報表檢視模型檢視資源檢視資料夾,以及管理個別訂閱s。Add the following tasks: Consume reports, View reports, View models, View resources, View folders, and Manage individual subscriptions.

    6. 按一下 [確定] ,儲存角色。Click OK to save the role.

建立角色指派來授與報表產生器的存取權To create role assignments that grant access to Report Builder

  1. 啟動報表管理員。Start Report Manager.

  2. 按一下 [站台設定]Click Site Settings.

  3. 按一下 [安全性]Click Security.

  4. 如果您想要設定報表產生器存取的使用者或群組已經有角色指派,請按一下 [編輯] 。If a role assignment already exists for the user or group for which you want to configure Report Builder access, click Edit.

    否則請按一下 [新增角色指派] 。Otherwise, click New Role Assignment. 在群組或使用者中,使用下列格式來輸入 Windows 網域使用者或群組帳戶:<網域>\<帳戶>。In Group or user, enter a Windows domain user or group account in this format: <domain>\<account>. 如果您要使用表單驗證或自訂安全性,請使用適用於部署的正確格式來指定使用者或群組帳戶。If you are using forms authentication or custom security, specify the user or group account in the format that is correct for your deployment.

  5. 選取 [系統使用者] ,然後按一下 [確定] 。Select System User, and then click OK.

  6. 按一下 [首頁] 。Click Home.

  7. 按一下 [資料夾設定] 索引標籤。Click the Folder Settings tab.

  8. 按一下 [安全性] 索引標籤。Click the Security tab.

  9. 如果您想要設定報表產生器存取的使用者或群組已經有角色指派,請按一下 [編輯] 。If a role assignment already exists for the user or group for which you want to configure Report Builder access, click Edit.

    否則請按一下 [新增角色指派] 。Otherwise, click New Role Assignment. 在群組或使用者中,使用下列格式來輸入 Windows 網域使用者或群組帳戶:<網域>\<帳戶>。In Group or user, enter a Windows domain user or group account in this format: <domain>\<account>. 如果您要使用表單驗證或自訂安全性,請使用適用於部署的正確格式來指定使用者或群組帳戶。If you are using forms authentication or custom security, specify the user or group account in the format that is correct for your deployment.

  10. 選取 [報表產生器] ,然後按一下 [套用] 。Select Report Builder, and then click Apply.

  11. 重複上述步驟,以便建立或修改其他使用者或群組的角色指派。Repeat to create or modify role assignments for additional users or groups.

授與 SharePoint 整合模式報表伺服器之報表產生器存取的權限Permissions Granting Report Builder Access on a SharePoint Integrated Mode Report Server

在 SharePoint 整合模式報表伺服器上,報表產生器的存取會授與給具有「參與」或「完全控制」權限等級的 SharePoint 使用者。On a SharePoint integrated mode report server, Report Builder access is granted to SharePoint users who have either Contribute or Full Control permission levels.

如果您要使用自訂權限等級,您必須在此權限等級中包括「加入項目」和「編輯項目」。If you use custom permission levels, you must include Add Items and Edit Items in the permission level. 如需透過內建權限層級存取報表產生器的詳細資訊,請參閱 在 Windows SharePoint Services 中使用報表伺服器項目的內建安全性For more information about Report Builder access through built-in permission levels, see Use Built-in Security in Windows SharePoint Services for Report Server Items. 如需自訂權限層級的權限需求詳細資訊,請參閱 在 SharePoint Web 應用程式中設定報表伺服器作業的權限For more information about permission requirements for custom permission levels, see Set Permissions for Report Server Operations in a SharePoint Web Application.

驗證考量與認證重複使用Authentication Considerations and Credential Reuse

報表產生器會使用 ClickOnce 技術,將它的應用程式檔案下載及安裝到用戶端電腦上。Report Builder uses ClickOnce technology to download and install its application files on a client computer. ClickOnce 技術要用於單向應用程式部署,這個部署會將程式檔案放在用戶端電腦上,並在預設使用者的識別之下以個別處理序的形式執行應用程式。ClickOnce technology is intended for one-way application deployment that places program files on a client computer and runs the application as a separate process under the identity of the default user. 由於報表產生器必須連回報表伺服器,以取得應用程式檔案和報表伺服器資料,所以請務必了解 ClickOnce 如何設定安全性內容以及在不同狀況下對遠端電腦發出要求:Because Report Builder must connect back to the report server to get application files and report server data, it is important to understand how ClickOnce sets the security context and issues requests to remote computers under different scenarios:

  • ClickOnce 一定會在用戶端電腦上當做個別處理序來執行。ClickOnce always runs as a separate process on the client computer. 處理序識別是預設的 Windows 使用者認證。The process identity is the default Windows user credentials. ClickOnce 不會與 Internet Explorer 共用工作階段資料或是從 Internet Explorer 取得目前的使用者安全性內容。ClickOnce does not share session data with Internet Explorer or obtain the current user security context from Internet Explorer.

  • ClickOnce 會傳送要求,以便在驗證標頭中指定 Windows 整合式安全性。ClickOnce sends requests that specify Windows integrated security in the authentication header. 如果伺服器設定了不同的驗證類型,伺服器將無法處理 ClickOnce 的要求,而且會產生驗證錯誤。If a server is configured for a different authentication type, the server will fail requests from ClickOnce with an authentication error. 這個問題的解決方法如下:您必須針對 Windows 整合式安全性設定伺服器,或者必須啟用匿名存取來排除驗證檢查。To work around this issue, you must either configure a server for Windows integrated security or you must enable Anonymous access to eliminate the authentication check.

  • 報表產生器會開啟它自己與報表伺服器的連接。Report Builder opens its own connection to a report server. 如果您未搭配單一登入來使用 Windows 整合式安全性,使用者必須針對與報表伺服器的報表產生器連接重新輸入認證。If you are not using Windows integrated security with single sign on, users must re-type their credentials for the Report Builder connection to the report server.

下表說明報表伺服器所支援的驗證類型,以及是否需要其他組態才能存取報表產生器。The following table describes the authentication types supported by the report server, and whether additional configuration is required to access Report Builder.

報表伺服器驗證類型Report Server Authentication Type 報表產生器和 ClickOnce 應用程式啟動器的回應方式How Report Builder and ClickOnce Application launcher responds
交涉 (預設值)Negotiate (default)

NTLM (預設值)NTLM (default)
在 Windows 整合式安全性之下,如果用戶端和伺服器部署在相同的網域中、使用者使用有權存取報表產生器的網域帳戶來登入用戶端電腦,而且報表伺服器有設定 Windows 驗證時,來自 ClickOnce 和報表產生器的已驗證要求通常會成功。Under Windows integrated security, authenticated requests from ClickOnce and Report Builder typically succeed if the client and server are deployed in the same domain, the user is logged in to the client computer using a domain account with permission to access the Report Builder, and the report server is configured for Windows Authentication.

要求成功是因為 ClickOnce 以及與報表伺服器的瀏覽器連接具有相同的使用者識別。Requests succeed because ClickOnce and the browser connection to the report server have the same user identity.

如果使用者使用 [執行身分] 開啟 Internet Explorer 而且指定了非預設的認證,要求將會失敗。Requests will fail if the user opened Internet Explorer with Run As and specified non-default credentials. 如果報表伺服器上的使用者工作階段是在特定的帳戶之下建立,而且 ClickOnce 會在不同的帳戶下執行,則報表伺服器將會拒絕檔案的存取。If the user session on the report server is established under a specific account, and ClickOnce runs under a different account, the report server will deny access to the files.
KerberosKerberos 使用報表產生器所需的 Internet Explorer 並不會直接支援 Kerberos。Internet Explorer, which is required for using Report Builder, does not support Kerberos directly.
基本驗證Basic authentication ClickOnce 不支援基本驗證。ClickOnce does not support Basic authentication. ClickOnce 將不會在驗證標頭中編寫用於指定基本驗證的要求,It will not formulate requests that specify Basic authentication in the authentication header. 也不會傳遞認證或是提示使用者提供認證。It will not pass credentials or prompt the user to provide them. 您可以啟用報表產生器應用程式檔案的匿名存取來解決這些問題。You can work around these issues by enabling Anonymous access to the Report Builder application files.

如果您啟用報表產生器應用程式檔案的匿名存取,要求將會成功,因為報表伺服器會忽略驗證標頭。Requests will succeed if you enable Anonymous access to the Report Builder application files because the report server ignores the authentication header. 如需如何啟用報表產生器匿名存取的詳細資訊,請參閱 設定報表伺服器上的基本驗證For more information about how to enable Anonymous access to Report Builder, see Configure Basic Authentication on the Report Server.

在 ClickOnce 擷取應用程式檔案之後,報表產生器會開啟與報表伺服器的個別連接。After ClickOnce retrieves the application files, Report Builder opens a separate connection to a report server. 使用者必須重新輸入認證,才能讓報表產生器連接報表伺服器。Users must re-type their credentials to get Report Builder to connect to the report server. 報表產生器不會從 Internet Explorer 或 ClickOnce 收集認證。Report Builder does not collect credentials from Internet Explorer or ClickOnce.

如果報表伺服器有設定基本驗證,而且您並未啟用報表產生器程式檔案的匿名存取,要求將會失敗。Requests will fail if the report server is configured for Basic authentication and you did not enable Anonymous access to the Report Builder program files. 要求失敗是因為 ClickOnce 會在它的要求中指定 Windows 整合式安全性。The request fails because ClickOnce specifies Windows integrated security on its requests. 如果報表伺服器有設定基本驗證,伺服器將會拒絕要求,因為它會指定無效的安全性封裝,而且它會缺少報表伺服器所預期的認證。If you configure the report server for Basic authentication, the server will reject the request because it specifies an invalid security package and because it lacks the credentials that the report server expects.

此外,如果報表伺服器設定為使用 SharePoint 整合模式,而且 SharePoint 網站使用基本驗證,則當使用者嘗試使用 ClickOnce 在用戶端電腦上安裝報表產生器時,會出現 401 錯誤。Additionally, if the report server is configured to use SharePoint integrated mode and the SharePoint site uses Basic authentication, users will encounter a 401 error when they try to use ClickOnce to install Report Builder on their client computers. 發生這個狀況的原因是 SharePoint 會使用 Cookie 讓使用者在工作階段期間維持驗證狀態,但是 ClickOnce 不支援 Cookie。This happens because SharePoint uses a cookie to keep a user authenticated for the duration of the session, but ClickOnce does not support the cookie. 當使用者啟動 ClickOnce 應用程式 (例如報表產生器) 時,應用程式不會讓 Cookie 通過 SharePoint,因此 SharePoint 會拒絕存取並傳回 401 錯誤。When a user launches a ClickOnce application, such as Report Builder, the application does not pass the cookie to SharePoint and thus SharePoint denies access and returns a 401 error.

您可以嘗試下列其中一個選項來解決這個問題:You can work around this issue by trying one of the following options:

選取 記住我的密碼選項時提供您的使用者認證。Select the Remember my password option when you provide your user credentials.

針對 SharePoint 網站集合啟用匿名存取。Enable Anonymous access to the SharePoint site collection.

設定環境,讓使用者不提供認證。Configure the environment so that the user does not provide credentials. 例如,在內部網路環境中,您可能會將 SharePoint 伺服器設定為屬於某個工作群組,然後在本機電腦上建立使用者帳戶。For example, in an intranet environment you might configure the SharePoint server to belong to a Workgroup and then create user accounts on the local computer.
自訂Custom 當您設定報表伺服器使用自訂驗證時,報表伺服器上會啟用匿名存取,而且會接受要求而不執行驗證檢查。When you configure a report server to use custom authentication, Anonymous access is enabled on the report server and requests are accepted with no authentication check.

在 ClickOnce 擷取應用程式檔案之後,報表產生器會開啟與報表伺服器的個別連接。After ClickOnce retrieves the application files, Report Builder opens a separate connection to a report server. 使用者必須重新輸入認證,才能讓報表產生器連接報表伺服器。Users must re-type their credentials to get Report Builder to connect to the report server. 報表產生器不會從 Internet Explorer 或 ClickOnce 收集認證。Report Builder does not collect credentials from Internet Explorer or ClickOnce.

另請參閱See Also

使用報表伺服器驗證 Authentication with the Report Server
規劃 Reporting Services 和 Power View 瀏覽器支援(Reporting Services 2014) Planning for Reporting Services and Power View Browser Support (Reporting Services 2014)
啟動報表產生器(報表產生器) Start Report Builder (Report Builder)
報表管理員 (SSRS 原生模式) Report Manager (SSRS Native Mode)
連接至 Management Studio 中的報表伺服器 Connect to a Report Server in Management Studio
報表伺服器系統屬性Report Server System Properties