Lesson 2: Setting Item-Level Permissions on a Report Server
Access to reports, folders, models, shared data sources, and resources is controlled through item-level role assignments. Each user who requires access to a report server must have at least one item-level role assignment. If you define role assignments on the root folder (Home), you can use permission inheritance to allow the same level of access for all items that are stored on the server.
Reporting Services provides predefined roles to make setting permissions easier. You can choose from a variety of roles to create assignments with increasing levels of permissions.
Assign the Browser role to users who will view reports and create individual subscriptions. For more information, see the Browser Role.
Assign the Report Builder role to users who will perform all of the tasks provided in the Browser role, plus create reports in Report Builder. For more information, see the Report Builder Role.
Assign the Publisher role to users who will perform all of the tasks provided in the previous roles, with additional permissions for publishing reports and models from Business Intelligence Development Studio. For more information, see the Publisher Role.
Assign the Content Manager role to a small set of users who will manage content on a report server. For more information, see the Content Manager Role.
To define role assignments, you must have sufficient permissions. On a new installation of Reporting Services, you must be a member of the local Administrators group to create role assignments.
This lesson assumes that you have completed Lesson 1: Setting System-Level Permissions on a Report Server and have an open connection to Report Manager. If you do not have an open connection, log on to your computer as a local administrator and start Report Manager. For more information, see Report Manager.
To create an item-level role assignment
Click Home at the top of the page to open the Report Manager home page.
Click the Folder Settings button.
Click New Role Assignment.
In Group or user name, specify the name of a domain group account that includes all of the users who require permissions to view reports. Specify the account in this format: domain\group. The account should be in the same domain or in a trusted domain. If you do not have a domain group that fits this description, you can specify individual domain user accounts instead.
Click New Role Assignment again.
Type the name of a domain user account for a user who has administrative responsibilities for this report server. Specify the account in this format: domain\user. The account should be in the same domain or in a trusted domain.
Select Content Manager.
Click OK to save the role assignments.
You have successfully created two item-level role assignments.
One role assignment grants minimal permissions to a domain group account.
The second role assignment grants administrative permissions to a specific user account. To check your work, ask a user from the Browser role and the Content Manager role to open Report Manager. The user who has minimal permissions should be able to view items and run reports. The user who as elevated permissions should see additional property pages for each item, and be able to view more properties on the Site Settings page.
Next, you will learn how to create an item-level role assignment that provides access to a single report that is in a subfolder. See Lesson 3: Setting Permissions on Specific Items.