< Blog

Which Security Accounts Are Used within ConfigMgr SSRS Report Execution?

By Garth Jones

In a recent tweet, S. D’Souza @sdsouza78 said:

“It always confuses me which account/security context gets used where when running reports from within SCCM/SSRS environment.”

I found his admission interesting and my first reaction was to say that SSRS always uses your account information, but the answer isn’t that simple!

In ConfigMgr 2012 and later there is only one supported configuration (see Screenshot #4 below), so this blog post will talk about it and how to determine what account is running the SSRS reports in your environment. By the way, with ConfigMgr 2007, it is a “free for all,” so for ConfigMgr 2007 there is no easy answer.

Similar to my last post on the subject, How Does the ConfigMgr SSRS Report Execution Workflow Operate? I’m going to use the same scenario, so the workflow will be the same. This time, however, I will be looking at it from a security perspective.

· Morgan wants to execute a report called, Overall Missing Software Update Status by Classification, with the Home > ConfigMgr_CM6 > Enhanced Web Reporting > Software Updates folder on a server called CM12R2-CM6.

· CM12R2-CM6 is a ConfigMgr 2012 R2 Server with SQL 2012 and SSRS.

· Both SSRS and SQL are using the default instances.

· Morgan is NOT a ConfigMgr 2012 R2 administrator.

· All reports are Role-Based Administration (RBA) reports.

· My example will start with Morgan sitting at his Windows 7 desktop.

On the left-side of the flowchart (see below) is a summary of the SSRS report process and on the right-side is each account’s database permissions.

After the flowchart, I’ll show you where to locate your configuration by pointing out where each piece of information is found.

Which Security Accounts Are Used within ConfigMgr SSRS Report Execution-SSRS Account Process

Screenshot #1

The name of your SSRS database is found within the Reporting Services Configuration Manager executable. You can access this window from the Database node in the executable. Screenshot #2 shows this node.

 Which Security Accounts Are Used within ConfigMgr SSRS Report Execution-Screenshot1

Screenshot #2

This is the service account that SSRS is running under, and this window can be found within the Reporting Services Configuration Manager executable. Also notice on the left-hand side that the Database node is showing as mentioned in Screenshot #1’s description.

Which Security Accounts Are Used within ConfigMgr SSRS Report Execution-Screenshot2

Screenshot #3

The green arrow is pointing to the ConfigMgr database name which is being used by SSRS. The red arrow shows you which account is accessing the ConfigMgr database whenever reports are executed. You can find this information by reviewing the reporting point’s properties in the ConfigMgr console.

Which Security Accounts Are Used within ConfigMgr SSRS Report Execution-Screenshot3

Screenshot #4

You can find the one supported configuration by reviewing the SSRS data source properties found on the SSRS web interface under the main ConfigMgr_<your site code> folder.

Which Security Accounts Are Used within ConfigMgr SSRS Report Execution-Screenshot4

Thank you S. D’Souza for the questions! I hope that this helps and make sure to read tomorrow’s post about the SSRS report execution workflow from the ConfigMgr console.

Feel free to contact me @GarthMJ with any questions and follow my posts on the Enhansoft blog site.