Endpoint Insights

Setting Up Security for SCCM Power BI Reports

Author Photo Garth Jones
Published on: July 24, 2019
Topics: Endpoint Insights

Receive notification right in your inbox whenever new content like this is released & sign up for our email list!

We’ll send you the latest updates, how-to’s, and solutions to empower you at every endpoint.

By signing up you agree to our Privacy Policy.

What do I mean by, “Setting up security for SCCM Power BI reports?” First, in order to create and run Power BI reports, you need to access the SQL Server database directly from Power BI Desktop, so you need to pay attention to who can access this data. Second, only supported SQL Server views, functions, etc., should be used with Power BI reports. If not, there are a whole host of issues that can follow.

Why am I focusing on those two points? Most Power BI reports are written by non-SCCM/SQL Server people. Let’s face it, that’s part of the allure to Power BI. The downside is that some non-SCCM/SQL Server folks are granted dbo or db_datareader rights to the SCCM SQL Server database. Once given this all-access pass to SCCM data, however, a non-Admin may not know what SQL Server objects to use.

How, then, can you restrict users from using unsupported SQL Server views and functions in their Power BI reports? I answer that question in this post by showing you a quick and simple trick! Limiting what the end user can see to only Microsoft SCCM-supported objects, gives some assurance that they won’t create a headache for you later on.

SQL Server Views and Functions

Microsoft ONLY supports querying SCCM SQL Server views and SCCM SQL Server table-value functions. NOT all SQL Server views and functions, however, are supported.

Only SQL Server views and functions that have smsschm_users “Select” or “Execute” permissions are supported with reporting. It doesn’t matter if you’re using Power BI, SSRS or any third-party tools.

The simplest way to restrict what an end user sees in the SQL Server database is to leverage the SCCM Report Editor security role. Instructions about how to do this are found in the, “Granting SQL Server Security Rights,” section of this post, How to Start Editing SCCM Reports with Report Builder. This post doesn’t really say anything about Power BI, but everything in it applies to Power BI.

Granting SQL Server Security Rights for SCCM Power BI Reports

Take it from me that this is a simple task! Here is a summary of the steps:

  • Create an AD security group called SCCM Report Editors.
  • Create a SCCM Report Editors security role (optional, but I recommend it).
  • Assign the SCCM Report Editors security role to the AD SCCM Report Editors security group (optional, but I recommend it).
  • Within SQL Server, create a new SQL Server login for the AD SCCM Report Editors security group.
  • On the SCCM database, grant the SQL Server login, for the AD SCCM Report Editors security group, the database role of smschm_user.

Here’s a quick note about the two optional steps. You might be asking yourself, “Why create them?”

There are two main reasons:
-First, it allows you to edit the built-in SSRS reports using Report Builder via the SCCM console.
-Second, and more importantly, to document who has access to the SCCM database. Although you can find out who has access to the database via SQL Server itself, it is not always obvious from within SCCM, so these steps help save you some time and effort in the long run.

Again, for more information about how to perform these steps, see the instructions found in the, “Granting SQL Server Security Rights,” section of this post, How to Start Editing SCCM Reports with Report Builder.

SQL Server Security for SCCM Power BI Reports

Let’s see what happened after I performed the above-noted steps on my test account. Looking at the screenshot below, on the left-hand side you can see the number of objects that my SQL Server Admin account can access. On the right-hand side you can see the number of objects that I can use within SCCM reporting with my restricted account. What a big difference!

Security for SCCM Power BI Reports

Using Unsupported SQL Server Views

You can read more about SCCM supported and unsupported SQL Server views, tables, etc., in a couple of posts I published earlier this year: What Are the Supported SQL Server Views to Use with SCCM Reporting? and Why Is It Important to Use Supported SQL Server Views with SCCM Reporting?

As an aside, I always recommend writing queries first in SQL Server Management Studio (SSMS) before even opening up Power BI. If you like, you can use the Query Designer in SSMS. However, I know from reading posts in the forums and from experience that most people ignore this advice. Why? Either they don’t know any better or they think it is more “convenient” to simply open Power BI. For now, I won’t address why starting with SSMS is better because this security issue (seeing all of the views/tables/etc.) can’t be avoided there either without assigning the correct SQL Server permissions as spelled out in this blog post.

If you have any questions about setting up security for SCCM Power BI reports, please feel free to contact me at @GarthMJ.

Trending Topics

How to Build Compliance Baselines in Intune to Determine the Compliance Status of Devices 

How to Use Recast Builder to Automate the Force Reinstall of ConfigMgr Clients

Streamlining IT Management: The Advantages of Consolidating with Recast Software 

How to Build PPPC Profiles within Intune for MacOS Devices

Related Resources

Featured Image
Endpoint Insights

How to Improve Device Warranty Information Reporting

Author Photo
Matt Wieland
October 18, 2023
Featured Image
Endpoint Insights

Get Your Hardware Refresh Budget Right 

Author Photo
Matt Wieland
August 16, 2023
Featured Image
Endpoint Insights

A Big Bank’s IT Asset Management Success Story 

Author Photo
Matt Wieland
April 19, 2023
Featured Image
Endpoint Insights

No Need to Switch Endpoint Management Software

Author Photo
Matt Wieland
April 13, 2023
Featured Image
Endpoint Insights

Customer Stories: Endpoint Insights Enables Powerful Device Warranty Management for Carr, Riggs & Ingram

Author Photo
Matt Wieland
January 17, 2023
Featured Image
Endpoint Insights

Endpoint Insights Webinar Series

Author Photo
Matt Wieland
January 5, 2023
Featured Image
Endpoint Insights

The Five Best ConfigMgr Reports

Author Photo
Garth Jones
November 18, 2022
Featured Image
Endpoint Insights

Role-Based Administration (RBA) Reporting Feature in ConfigMgr / SCCM

Author Photo
Garth Jones
October 17, 2022
Featured Image
Endpoint Insights

What is CMTrace and What is it Used For? The Ultimate Guide

Author Photo
Garth Jones
October 7, 2022
Featured Image
Endpoint Insights

Better Together: Endpoint Insights and Right Click Tools Webinar Highlights

Author Photo
Matt Wieland
July 15, 2022
Featured Image
Endpoint Insights

HP Warranty Check for PCs

Author Photo
Garth Jones
July 8, 2022
Featured Image
Endpoint Insights

How to Find Computers Missing Applications

Author Photo
Branden Hammann
April 13, 2022
Featured Image
Endpoint Insights

Configuration Manager Maintenance Tasks

Author Photo
Garth Jones
January 25, 2022
Featured Image
Endpoint Insights

Endpoint Insights is Information

Author Photo
Marty Miller
October 15, 2021
Featured Image
Endpoint Insights

Endpoint Insights: Create a Collection of Computers with a Specific Docking Station

Author Photo
Marty Miller
September 16, 2021
Featured Image
Endpoint Insights

How to Find the Replacement Cost for a Collection of Computers

Author Photo
Marty Miller
September 14, 2021
Featured Image
Endpoint Insights

Dashboards and Missing Image Box in SSRS 2019

Author Photo
Garth Jones
September 2, 2021
Featured Image
Endpoint Insights

How to Add a Custom Background for Your Meetings

Author Photo
Garth Jones
August 19, 2021
Featured Image
Endpoint Insights

Use Endpoint Insights to Budget with Confidence, Gain Asset Insights, and Stay Ahead of Issues

Author Photo
Garth Jones
June 22, 2021
Featured Image
Endpoint Insights

Introducing Endpoint Insights: Taking Enhansoft to the Next Level

Author Photo
Chelsea Eugster
June 14, 2021
Featured Image
Endpoint Insights

Get Accurate Results from ConfigMgr

Author Photo
Garth Jones
April 14, 2021
Featured Image
Endpoint Insights

How to Create a Prompted WQL Query

Author Photo
Garth Jones
April 7, 2021
Featured Image
Endpoint Insights

Set-up a Windows File Share Subscription

Author Photo
Garth Jones
March 24, 2021
Featured Image
Endpoint Insights

Creating Custom Hardware Inventory Tips

Author Photo
Garth Jones
March 18, 2021
Featured Image
Endpoint Insights

ConfigMgr Collections & Collection Evaluation Viewer

Author Photo
Garth Jones
March 3, 2021
Featured Image
Endpoint Insights

Change the Maximum File Size of a MIF

Author Photo
Garth Jones
February 18, 2021
Featured Image
Endpoint Insights

Configuration Manager Logs – Where Are My Log Files?

Author Photo
Garth Jones
January 27, 2021
Featured Image
Endpoint Insights

How to Create a Collection Prompt Query

Author Photo
Garth Jones
January 13, 2021
Featured Image
Endpoint Insights

Determining the Microsoft Azure Tenant ID

Author Photo
Garth Jones
December 30, 2020
Featured Image
Endpoint Insights

Ola Hallengren’s SQL Server Maintenance Solution

Author Photo
Garth Jones
December 9, 2020
Back to Top