I have found that delegating permissions so that specific users are only allowed to view reports in SCCM 2012 can be a little tricky. I wanted to be able to add an Active Directory group to the ConfigMgr ReportUsers group in SCCM 2012. Then these users could simply view certain reports but not be able to build, create, edit or manage those reports and also not have access to the ConfigMgr Console. I think that’s a reasonable request. After all, one of the benefits of combining the reporting services point with SSRS in 2012 is being able to view the reports through the web console. Here is a little rundown of the pain that I’ve been through troubleshooting this issue.
I tried setting the permissions via the Web Console. I thought I could set the permissions and then those permissions would propagate down to the lower folders. This is the default behaviour after all.
Unfortunately, the permissions didn’t propagate. Not only did they not propagate, but I found that if I manually went through and set the permissions on the sub folders, within 10 minutes or so, those permissions would revert back to default. This mad me sad, and angry. But mostly sad.
So I thought I better do a little fishing, I decided to check the SRSRP.log file on the ConfigMgr server to see if could find out what was going on. I found this.
It turns out that SCCM is checking every 10 minutes or so, to see if the permissions are the same with what is in SCCM. If the permissions have changed in the Web Console, SCCM promptly changes them back.
So then, how do we assign user to the ConfigMgr Report user group?
In order to get it working here are the steps that I needed to follow. First, create the group that you would like to delegate the privileges to in Active Directory Users and Groups. Fill that group with the users you would like to delegate access to.
In the SCCM console, navigate to Administration > Security > Security Roles and COPY the Read-Only Analyst role.
You will now need to go through each individual permission and make sure run report is the only permission assigned. This will take a long time. The other option is to just associate the Read-Only Analyst role. This might give more permissions than you would like to give however. That’s up to you.
Now in the SCCM console, navigate to Administration > Security > Administrative Users. Right click Administrative Users and click Add User or Group.
Fill out the wizard. Leave the Collections and Security Scope as default.
Now go back to your web browser to check that the permissions have applied. It might take up to 10 minutes to resync. You can check the log file if you like. CMtrace.exe is a tail log viewer so it will update in real time.
You should see your group listed with the rights ConfigMgr Report Users. Now your users can view reports without breaking anything! Woohoo!
You can find more information on Reporting Services in SCCM 2012, here > http://technet.microsoft.com/en-us/library/gg682105.aspx