ConfigMgr
Grant Permission to One ConfigMgr SSRS Report
Topics: ConfigMgr
In Microsoft Endpoint Configuration Manager (ConfigMgr) 2007 it is possible to grant permission to a single SCCM SSRS report by simply updating the permissions in the web interface. However, in later versions of ConfigMgr you need to perform a few more steps within the ConfigMgr console in order to grant non-administrators access to a single SSRS report.
Originally, I wrote a blog post about this topic back in 2013 that applied to ConfigMgr 2012, but it’s time for an update. Why? Those steps WON’T work for SCCM 2012 R2 or SCCM Current Branch because you need to take further action. If you were to compare the old blog post with this one, you would see a lot of similarities between them, but with the introduction of Role-Based Administration (RBA) in SCCM 2012 R2 you now need to grant more rights than simply, “Site Read,” to your report reader AD security group. You must also grant rights to the report’s inventoried items.
Security Rights
It is best practice to use an AD security group when granting permission to reports. If you don’t want to grant rights to an AD security group, you would follow the same basic steps as below in order to provide access to a single user.
In this example I will show you how to grant AD security group access to a report called, Computers with low free disk space (less than specified % free). The additional security rights that are required by the report reader’s AD security group are:
- Read and Read Resource for Collection.
- Read for Inventory Reports.
Importing the ConfigMgr Security Role
First, start by creating a security role. I will call it, “Site Read.” This role only has rights to read from the site server. To make life easier, I created this SCCM security role and you can use this link to download and import it. Even though the URL says, “cm12,” it will work with both Current Branch and SCCM 2012 R2.
By the way, if you already have this role then skip this section and go to the next one, Copy the ConfigMgr Security Role.
After downloading the XML file, from the ConfigMgr console, select Administration | Overview | Security and then right-click on Security Roles and select Import Security Role.
Locate the XML file that you downloaded and click on the Open button.
The Security Role is created!
Copy the ConfigMgr Security Role
After you import the base Site Read security role it is time to customize it. Before you edit it, though, I recommend making a copy of it first so that the next time you need to create a security role you don’t have to undo all of your changes. In this example, I will call the new security role: % Free Disk Space.
Right-click on the Site Read security role and select Copy.
Enter the new security role’s name and description. Next, expand Collection and set Read to Yes, and Read Resource to Yes. Scroll down the list to Inventory Reports and set Read to Yes. Finally, click on the OK button.
Applying the ConfigMgr Security Role to an AD Security Group
In the ConfigMgr console under the Administration node expand Security, click on Administrative Users, and then, in the top left of the console, click on the Add User or Group button.
Click on Browse…
Select the AD User or Group that you are assigning rights to before clicking OK.
Click Add…
Select the ConfigMgr security role that you customized in the previous section and then click on the OK button. In my case the security role is called, % Free Disk Space.
Click OK to complete the process of assigning rights to the AD security group.
Grant Permission to a Single ConfigMgr SSRS Report
In the ConfigMgr console, start in the Monitoring node. Expand Reporting and then click on Reports. In the search bar enter the filter string (disk) to locate the report, Computers with low free disk space (less than specified % free). Select the report, right-click on it and then select Properties.
On the Computers with low free disk space (less than specified % free) properties page, select the Security tab, de-select Inheriting rights from parent object and then click on Add…
In the User name field enter the name of the AD security group and then select ConfigMgr Report Users. Click OK.
Finally, click on the OK button to complete this process.
Now you are done! The user will have access to the selected report via the AD security group. ConfigMgr report permissions are updated every 10-minutes, so please wait at least 10-minutes before sending the user a link to the report. This will avoid any unnecessary Service Desk calls.
Special Notes
- In order for the user to access the report you will need to provide them with a direct link to the report because they will NOT be able to see the folder with the report in it. In case you’re curious, this is what the URL http://cm-ssrs-cb1/Reports/Pages/Report.aspx?ItemPath=%2fConfigMgr_CB1%2fHardware+-+Disk%2fComputers+with+low+free+disk+space+(less+than+specified+%25+free) in my example looks like. By the way, it will only work within my environment.
- If the user tries to drill-down to other reports they will see a similar error message: The permissions granted to user ‘GARTEKmorgan’ are insufficient for performing this operation. (rsAccessDenied)
If you have any questions about how to grant permission to a single ConfigMgr SSRS report, please feel free to contact me @GarthMJ. Do you have an idea for a blog post about a ConfigMgr query or reporting topic? Let me know. Your idea might become the focus of my next blog post!
Additional ConfigMgr Resources
Overview
Inventory
Reporting
- How Can I Install Report Builder?
- How to Install a SCCM Reporting Services Point
- Dynamic Images to SSRS Report for SCCM
- Editing SCCM Reports with Report Builder
- Fixing the SCCM Reporting Services Point
Scripting
Security/Permissions
Software
External Integration
