Easy-to-follow video tutorials help you learn software, creative, and business skills.Become a member
Let's talk about security, and I don't mean the security of the database your report is connecting to. That's all taken care of in the data source, as we have seen. I am talking instead about security inside Reporting Services itself. So who gets to view this Report Manager website? Who could click the link to view a particular report, and who can't? And who could just view a report versus who could edit it and move it and delete it, because every item here--every folder, every subfolder, every single report, every shared data source, every report part--they all have independent security settings, a different list of people that can be allowed to view or edit them.
What you will find is they all have a Security option in the dropdown box. But it is considered a best practice to apply security at a folder level rather than individually on each report or each element, because if you change security on a folder, say the Sales folder here, whatever you put in that folder will take on the same settings, and the very top level, the Home page here that we are looking at, is considered a folder in itself, the top folder, the top container. So right now, everything I am looking at--all the reports, all the folders and everything inside them--takes on the settings that reply to this top-level folder.
So what are those settings? Well, if I have the right permissions, I can click this button up here called Folder Settings and I'll see what's inside Home. Currently, this is what I have set to. It's very simple here. It's working with security groups on this machine, saying that anyone who is in the Administrators group is considered in the role of a content manager, whereas for me, anyone who is considered an Authenticated User, which just means anybody who is logged on to this machine with a valid user ID, is considered a Browser. A Browser is someone who is allowed to view the Reporting Services website, can drill down inside the navigation of it, can actually browse reports, but can't move anything, can't delete anything, can't change security, can't create reports.
A Content Manager can do everything that I just mentioned there. They can create new reports. They can move them, delete them, add data sources, share data sources, and so on. And right now, because I haven't made any other changes, these are applying to every folder and every subfolder. So how would we change that? Well, let's say for example in my Sales folder I don't want everybody to be able to browse these reports. I only want them viewable by people in the Sales group. Well, once I am inside the Sales folder, I can go to my Folder Settings and I have the Security option here.
I can see that what it's doing right now, it's got exactly the same settings as I had in the folder above it. So I am going to click the option to Edit Item Security, and it's going to tell me well, you didn't have particular independent security here. It was being inherited from a parent item, the folder it was contained in, the Home folder. So do I want to apply different security settings here? Yes, I do. So I will click OK. And then what I am going to do is select the Authenticated Users as a Browser and delete it. That means just anybody who is logged on is not allowed to see this folder.
They are not allowed to browse items inside it. I am going to click the option for a new role assignment, and this is showing me the built-in Reporting Services roles. We have got Browser, Content Manager, Report Builder, Publisher, and My Reports. What I am going to do is add a new security group. I can add a group or an individual user. So if I had an individual user that I wanted to allow to view these reports--and I have got someone I know; his username is Hannac-- I can make them a Browser, click OK, and they are added here.
My Report Server is installed and running under a local account for the purposes of recording this course, so I am using local groups and users. In most large organizations you are running under a domain, so you'd need to use domain groups and users. And while we can add individual users, that's kind of high maintenance, so what's more typical is you will add groups. I know there is a group called Sales that contains all the salespeople, so I am going to type that in and select Browser, and now everyone who is in Sales can get into this folder and browse the items in it, but they can't change anything.
So one more thing I am going to do is create a New Role Assignment and say that the Sales Managers are allowed to create and configure new reports. I might wonder, which one should they have. There is an option here called Report Builder, which sounds like it might be the one for people creating and defining new reports, but that's not actually a great role. It doesn't give someone the ability to save a new report to the server. If you wanted someone who could add and create new reports, you'd want at least publisher, although publisher cannot move things around and apply security, so the best one, if you're really getting seriously into it, is the Content Manager Role.
I am going to click OK. So now what we have is anyone in Administrators is a full Content Manager in this Sales folder and any subfolder inside it. Hannac can browse it, as well as everybody inside the Sales group, and all the Sales Managers are also considered Content Managers. Now, when you're working with these roles, they can be changed, deleted, added to, reconfigured, so if you either see or if you need something else, you can talk to your database administrator. But if you are just creating reports and folders, data sources and report parts, the role you need at least is the Content Manager role.
Get unlimited access to all courses for just $25/month.Become a member