In System Center Configuration Manager (SCCM) 2007 it is possible to grant permission to a single SCCM SSRS report by simply updating the permissions in the web interface. However, in later versions of SCCM you need to perform a few more steps within the SCCM console in order to grant non-administrators access to a single SSRS report.
Originally I wrote a blog post about this topic back in 2013 that applied to SCCM 2012, but it’s time for an update. Why? Those steps WON’T work for SCCM 2012 R2 or SCCM Current Branch because you need to take further action. If you were to compare the old blog post with this one, you would see a lot of similarities between them, but with the introduction of Role-Based Administration (RBA) in SCCM 2012 R2 you now need to grant more rights than simply, “Site Read,” to your report reader AD security group. You must also grant rights to the report’s inventoried items.
It is best practice to use an AD security group when granting permission to reports. If you don’t want to grant rights to an AD security group, you would follow the same basic steps as below in order to provide access to a single user.
In this example I will show you how to grant AD security group access to a report called, Computers with low free disk space (less than specified % free). The additional security rights that are required by the report reader’s AD security group are:
–Read and Read Resource for Collection.
–Read for Inventory Reports.
Importing the SCCM Security Role
First, start by creating a security role. I will call it, “Site Read.” This role only has rights to read from the site server. To make life easier, I created this SCCM security role and you can use this link to download and import it. Even though the URL says, “cm12,” it will work with both Current Branch and SCCM 2012 R2.
By the way, if you already have this role then skip this section and go to the next one, Copy the SCCM Security Role.
Copy the SCCM Security Role
After you import the base Site Read security role it is time to customize it. Before you edit it, though, I recommend making a copy of it first so that the next time you need to create a security role you don’t have to undo all of your changes. In this example, I will call the new security role: % Free Disk Space.
Right-click on the Site Read security role and select Copy.
Enter the new security role’s name and description. Next, expand Collection and set Read to Yes, and Read Resource to Yes. Scroll down the list to Inventory Reports and set Read to Yes. Finally, click on the OK button.
Applying the SCCM Security Role to an AD Security Group
Grant Permission to a Single SCCM SSRS Report
In the SCCM console start in the Monitoring node. Expand Reporting and then click on Reports. In the search bar enter the filter string (disk) to locate the report, Computers with low free disk space (less than specified % free). Select the report, right-click on it and then select Properties.
Now you are done! The user will have access to the selected report via the AD security group. SCCM report permissions are updated every 10-minutes, so please wait at least 10-minutes before sending the user a link to the report. This will avoid any unnecessary Service Desk calls.
-In order for the user to access the report you will need to provide them with a direct link to the report because they will NOT be able to see the folder with the report in it. In case you’re curious, this is what the URL http://cm-ssrs-cb1/Reports/Pages/Report.aspx?ItemPath=%2fConfigMgr_CB1%2fHardware+-+Disk%2fComputers+with+low+free+disk+space+(less+than+specified+%25+free) in my example looks like. By the way, it will only work within my environment.
-If the user tries to drill-down to other reports they will see a similar error message: The permissions granted to user ‘GARTEK\morgan’ are insufficient for performing this operation. (rsAccessDenied)
If you have any questions about how to grant permission to a single SCCM SSRS report, please feel free to contact me @GarthMJ. Do you have an idea for a blog post about a SCCM query or reporting topic? Let me know. Your idea might become the focus of my next blog post!