ConfigMgr Console

Grant Permission to One ConfigMgr / SCCM SSRS Report

Topics: ConfigMgr Console

In Microsoft Endpoint Configuration Manager (ConfigMgr / SCCM) 2007 it is possible to grant permission to a single SCCM SSRS report by simply updating the permissions in the web interface. However, in later versions of ConfigMgr / SCCM you need to perform a few more steps within the SCCM console in order to grant non-administrators access to a single SSRS report.
Originally I wrote a blog post about this topic back in 2013 that applied to ConfigMgr / SCCM 2012, but it’s time for an update. Why? Those steps WON’T work for SCCM 2012 R2 or SCCM Current Branch because you need to take further action. If you were to compare the old blog post with this one, you would see a lot of similarities between them, but with the introduction of Role-Based Administration (RBA) in SCCM 2012 R2 you now need to grant more rights than simply, “Site Read,” to your report reader AD security group. You must also grant rights to the report’s inventoried items.

Security Rights

It is best practice to use an AD security group when granting permission to reports. If you don’t want to grant rights to an AD security group, you would follow the same basic steps as below in order to provide access to a single user.
In this example I will show you how to grant AD security group access to a report called, Computers with low free disk space (less than specified % free). The additional security rights that are required by the report reader’s AD security group are:
Read and Read Resource for Collection.
Read for Inventory Reports.

Importing the ConfigMgr / SCCM Security Role

First, start by creating a security role. I will call it, “Site Read.” This role only has rights to read from the site server. To make life easier, I created this SCCM security role and you can use this link to download and import it. Even though the URL says, “cm12,” it will work with both Current Branch and SCCM 2012 R2.
By the way, if you already have this role then skip this section and go to the next one, Copy the ConfigMgr / SCCM Security Role.

Grant Permission to a Single SCCM SSRS Report - Import Security Role
After downloading the XML file, from the SCCM console, select Administration | Overview | Security and then right-click on Security Roles and select Import Security Role.

Grant Permission to a Single SCCM SSRS Report - XML File
Locate the XML file that you downloaded and click on the Open button.

Grant Permission to a Single SCCM SSRS Report - Created
The Security Role is created!

Copy the ConfigMgr / SCCM Security Role

After you import the base Site Read security role it is time to customize it. Before you edit it, though, I recommend making a copy of it first so that the next time you need to create a security role you don’t have to undo all of your changes. In this example, I will call the new security role: % Free Disk Space.
Grant Permission to a Single SCCM SSRS Report - Copy
Right-click on the Site Read security role and select Copy.

Grant Permission to a Single SCCM SSRS Report - Yes
Enter the new security role’s name and description. Next, expand Collection and set Read to Yes, and Read Resource to Yes. Scroll down the list to Inventory Reports and set Read to Yes. Finally, click on the OK button.

Applying the ConfigMgr / SCCM Security Role to an AD Security Group

Grant Permission to a Single SCCM SSRS Report - Add User or Group
In the SCCM console under the Administration node expand Security, click on Administrative Users, and then, in the top left of the console, click on the Add User or Group button.

Grant Permission to a Single SCCM SSRS Report - Browse Button
Click on Browse…

Grant Permission to a Single SCCM SSRS Report - Select AD User or Group
Select the AD User or Group that you are assigning rights to before clicking OK.

Grant Permission to a Single SCCM SSRS Report - Add Button
Click Add…

Grant Permission to a Single SCCM SSRS Report - Security Role
Select the ConfigMgr / SCCM security role that you customized in the previous section and then click on the OK button. In my case the security role is called, % Free Disk Space.

Grant Permission to a Single SCCM SSRS Report - Add User or Group OK Button
Click OK to complete the process of assigning rights to the AD security group.

Grant Permission to a Single ConfigMgr / SCCM SSRS Report

Grant Permission to a Single SCCM SSRS Report - Properties
In the SCCM console start in the Monitoring node. Expand Reporting and then click on Reports. In the search bar enter the filter string (disk) to locate the report, Computers with low free disk space (less than specified % free). Select the report, right-click on it and then select Properties.

Grant Permission to a Single SCCM SSRS Report - Security Tab
On the Computers with low free disk space (less than specified % free) properties page, select the Security tab, de-select Inheriting rights from parent object and then click on Add…

Grant Permission to a Single SCCM SSRS Report - User Properties
In the User name field enter the name of the AD security group and then select ConfigMgr Report Users. Click OK.

Grant Permission to a Single SCCM SSRS Report - Security Tab OK Button
Finally, click on the OK button to complete this process.

Now you are done! The user will have access to the selected report via the AD security group. SCCM report permissions are updated every 10-minutes, so please wait at least 10-minutes before sending the user a link to the report. This will avoid any unnecessary Service Desk calls.

Special Notes

-In order for the user to access the report you will need to provide them with a direct link to the report because they will NOT be able to see the folder with the report in it. In case you’re curious, this is what the URL http://cm-ssrs-cb1/Reports/Pages/Report.aspx?ItemPath=%2fConfigMgr_CB1%2fHardware+-+Disk%2fComputers+with+low+free+disk+space+(less+than+specified+%25+free) in my example looks like. By the way, it will only work within my environment.
-If the user tries to drill-down to other reports they will see a similar error message: The permissions granted to user ‘GARTEK\morgan’ are insufficient for performing this operation. (rsAccessDenied)

If you have any questions about how to grant permission to a single SCCM SSRS report, please feel free to contact me @GarthMJ. Do you have an idea for a blog post about a SCCM query or reporting topic? Let me know. Your idea might become the focus of my next blog post!


Additional ConfigMgr / SCCM Resources

Learn more about how to better use ConfigMgr / SCCM. 

Overview

Inventory 

Reporting 

Scripting 

Security/Permissions 

Software 

External Integration 

Back to Top