Assigning Users to ConfigMgr ReportUsers group in SCCM 2012

I have found that delegating permissions so that specific users are only allowed to view reports in SCCM 2012 can be a little tricky. I wanted to be able to add an Active Directory group to the ConfigMgr ReportUsers group in SCCM 2012. Then these users could simply view certain reports but not be able to build, create, edit or manage those reports and also not have access to the ConfigMgr Console. I think that’s a reasonable request. After all, one of the benefits of combining the reporting services point with SSRS in 2012 is being able to view the reports through the web console. Here is a little rundown of the pain that I’ve been through troubleshooting this issue.

I tried setting the permissions via the Web Console. I thought I could set the permissions and then those permissions would propagate down to the lower folders. This is the default behaviour after all.

Unfortunately, the permissions didn’t propagate. Not only did they not propagate, but I found that if I manually went through and set the permissions on the sub folders, within 10 minutes or so, those permissions would revert back to default. This mad me sad, and angry. But mostly sad.

So I thought I better do a little fishing, I decided to check the SRSRP.log file on the ConfigMgr server to see if could find out what was going on. I found this.

It turns out that SCCM is checking every 10 minutes or so, to see if the permissions are the same with what is in SCCM. If the permissions have changed in the Web Console, SCCM promptly changes them back.

So then, how do we assign user to the ConfigMgr Report user group?

In order to get it working here are the steps that I needed to follow. First, create the group that you would like to delegate the privileges to in Active Directory Users and Groups. Fill that group with the users you would like to delegate access to.

In the SCCM console, navigate to Administration > Security > Security Roles and COPY the Read-Only Analyst role.

You will now need to go through each individual permission and make sure run report is the only permission assigned. This will take a long time. The other option is to just associate the Read-Only Analyst role. This might give more permissions than you would like to give however. That’s up to you.

Now in the SCCM console, navigate to Administration > Security > Administrative Users. Right click Administrative Users and click Add User or Group.

 

Fill out the wizard. Leave the Collections and Security Scope as default.

Now go back to your web browser to check that the permissions have applied. It might take up to 10 minutes to resync. You can check the log file if you like. CMtrace.exe is a tail log viewer so it will update in real time.

You should see your group listed with the rights ConfigMgr Report Users. Now your users can view reports without breaking anything! Woohoo!

You can find more information on Reporting Services in SCCM 2012, here > http://technet.microsoft.com/en-us/library/gg682105.aspx

 

 

 

 

 

 

 

 

Tagged , , , , . Bookmark the permalink.

19 Responses to Assigning Users to ConfigMgr ReportUsers group in SCCM 2012

  1. Paul Edwards says:

    Thanks for the article – like you, I’d got to the point where I was tearing my hair out trying to figure out how to do this…
    Can I add an amendment? Any reports with prompts will also need other permissions adding. For instance, you need to grant ‘Read’ access to ‘Collections’ otherwise all the reports with a collection drop-down box come up blank. Also, for the software compliance reports to work correctly you need to add ‘Read’ access to ‘Software Update Groups’. I’m sure there might be one or two others that I haven’t found yet…

  2. Fareed Ahmed says:

    Very good work my friend

    Fareed

  3. Fareed Ahmed says:

    Very good work my friend

    Fareed

  4. Eric says:

    Excellent! This article really helped me out! Thanks a lot.

  5. Eric says:

    Excellent! This article really helped me out! Thanks a lot.

  6. Eric says:

    Thank You!!!!

  7. Eric says:

    Thank You!!!!

  8. Sergio Geldres says:

    Excelente!!!!!! Muchas gracias.

  9. Sergio Geldres says:

    Excelente!!!!!! Muchas gracias.

  10. joes says:

    I have the opposite problem.. i would like users not to see the report folder they don’t have permissions.. any one know how to do this ?

  11. joes says:

    I have the opposite problem.. i would like users not to see the report folder they don’t have permissions.. any one know how to do this ?

  12. also I found that you must give read permission to the collection section in the permissions list if the report have a Collection Variables πŸ™‚

  13. also I found that you must give read permission to the collection section in the permissions list if the report have a Collection Variables πŸ™‚

  14. LaVox says:

    Nice work! You saved my life, man.

  15. LaVox says:

    Nice work! You saved my life, man.

  16. anonymous says:

    why copy the role if you are not pasting anywhere else?

  17. anonymous says:

    why copy the role if you are not pasting anywhere else?

Leave a Reply

Your email address will not be published. Required fields are marked *