Role based administration is used to secure the access that is needed to administer SCCM. You also secure access to the objects that you manage, like collections, deployments, and sites but lacks a couple of roles to be complete. For example, there’s no built-in role for report administration or report viewer.
We already covered the report viewer role in a previous post. This role give access to your users to consult and run SCCM Reports on the SSRS website. But what if you want to give access to an administrator to create, modify and upload reports without giving them access to the SCCM console ? This post will describe how to create SCCM Report Administrator Role which will fulfill this need.
How to Create SCCM Report Administrator Role
- The first step is to create a Report Users role
- Once created, go to Administration \ Security \ Security Roles
- Right-click Report Users and select Copy
- In Name, type Report Administrator and add a brief description
- On the lower pane, browse to each class where you have Run Report right and add Modify Report
- Ensure that the Site class has Read, Modify Report and Modify permissions and click OK
Assign the Security Role to an Administrative User
We now need to assign the Report Administrator security role to a user.
- Go to Administration \ Security \ Administrative Users
- Right-click Administrative User and select Add User or Group
- In the Add User or Group window, click Browse and select your user
- Click Add, select the Report Administrator Role that you just created
- In the lower pane select All instances of the objects that are related to the assigned security roles
- Click Ok
You have now assign your user or group to your report administrator role in SCCM.
SQL Server Reporting Services Permission
There’s one last step to complete. We need to give access to this user on the SSRS Website. SCCM overwrites permission modification by using the role-based assignments stored in the site database.
As per Technet :
Configuration Manager connects to Reporting Services and sets the permissions for users on the Configuration Manager and Reporting Services root folders and specific report folders. After the initial installation of the reporting services point, Configuration Manager connects to Reporting Services in a 10-minute interval to verify that the user rights configured on the report folders are the associated rights that are set for Configuration Manager users. When users are added or user rights are modified on the report folder by using Reporting Services Report Manager, Configuration Manager overwrites those changes by using the role-based assignments stored in the site database. Configuration Manager also removes users that do not have Reporting rights in Configuration Manager.
It’s not possible just to add your user with the Config Report Administrators role because it will be reset in 10 minutes.
- To fix this, you must click Site Settings in the upper right corner
- Click Security and New Role Assignment
- Enter your user or group name without your domain
- Select System User and click OK
- This role give access to view system properties, shared schedules, and allow use of Report Builder or other clients that execute report definitions
Once set, you can validate that your user has been given the rights.
- Go to the root of your SQL Reporting Service Website, click you ConfigMgr site and select Security
- Validate that your user has been added. Those permission won’t be overwrite. All set !