Sunday, February 13, 2011

SSRS Security

How can you manage permissions in SQL Server Reporting Services to ensure that sensitive reports are only seen by the people authorized to view them?
Because much of a company's data is sensitive and should not be seen by everyone, data protection is a priority. In this document, we will cover the SSRS security model and talk about how you can leverage it to lock down your SSRS environment.

SQL Server Reporting Services security is managed on two levels: the SSRS site and on items within the site. At each level, the tasks that users can perform are managed via roles. Roles are just groups with certain tasks assigned to them and members of the role can perform the assigned tasks. It's that simple. Taking some time to create appropriate roles and assigning users accordingly will ensure that your SSRS site, and the reports it houses, are secure.

Site-level security in Reporting Services
The first level of security is site-level security. On the SSRS site as a whole, you can manage the tasks your users are allowed to perform. The tasks are fixed, and you need to create your roles with these fixed tasks in mind.

At this level, you will be assigning "administrative" tasks to users. Standard users that just need to view reports will probably not require any permission at this level of SQL Server Reporting Services, beyond the ability to view properties and schedules and execute report definitions.

If you want to add additional users or groups to the System Administrators role without adding to the local administrators group, you’ll need to go into the System Role Assignments page. To do this interactively you can navigate to the report manager (http://reportserver/reports, for instance) and click Site Settings in the upper right hand of the screen. Towards the bottom of the Site Settings screen you’ll find three links under a security heading.

Click on “New Role Assignment”
From here you can enter a username or a group name into the textbox. For machines in a domain, you can prefix the name with the domain name, (DOMAIN\scott, for example). Reporting Services will verify the entry, so don’t worry about spelling mistakes. Select the checkboxes for the role you want to assign.
Here are the tasks you can assign to roles at the site level:
• Execute Report Definitions allows a user to run a report definition without first loading the definition onto the SSRS server. This is required if you want your users to run report definitions from applications separate from SSRS, such as the Report Builder.
• Generate Events allows applications to generate events in the SSRS namespace.
• Manage Jobs permits users to view the jobs that are running on your SSRS server and cancel them if necessary.
• Manage Report Server Properties is a task that allows users to manage properties of the report server, as well as the items managed by the report server.
• Manage Report Server Security allows users to view and modify the members of your system-level roles.
• Manage Roles permits users to create, view and modify the role definitions. These users can change the tasks that are assigned to your roles.
• Manage Shared Schedules. SSRS contains shared schedules that can be tied to report execution; this task will allow users to manage these schedules.
• View Report Server Properties lets users view, but not change, the properties of the report server. This task is implied if the role has the Manage Report Server Properties task assigned.
• View Shared Schedules lets users view, but not change, the shared schedules on the report server. This task is implied if the role has the Manage Shared Schedules task assigned.
To control which users are allowed to perform each of these tasks, you first create a system-level role. There are two built in system-level roles when you install SQL Server Reporting Services.
• System Administrator. This system-level role manages all aspects of the SSRS site. The only task that cannot be performed by default is the Generate Events task. If you want administrators, or any user for that matter, to be able to perform this task, you must explicitly assign it to the appropriate role.
• System User. These users are allowed to view report server properties and shared schedules and execute report definitions. These tasks are assigned so that users can run reports.
To create new roles, click Site Settings in the top right corner of the Report Browser and then select Configure system-level role definitions under Security. This will open the System Roles page: To create a new role, click the New Role button. This will open the New System Role page, shown in the screenshot. All you have to do now is name the role; give it a description, and then select all the tasks you want this role to be able to perform. When you're done, click OK.

Here are the tasks that can be assigned to item-level roles:
• Consume Reports allows users to read report definitions. This is a fancy way of saying "these users can run reports."
• Create Linked Reports allows users to create links between columns from one report to another. Users can also publish these reports to a folder.
• Manage All Subscriptions is a task that permits the user to view and manage other user's subscriptions to an item.
• Manage Data Sources lets the user create and delete shared data sources in SSRS.
• Manage Folders allows users to create and delete folders in SSRS. They can also modify the properties of existing folders.
• Manage Individual Subscriptions permits the user to create, view and modify subscriptions the user owns.
• Manage Models is a task giving the user rights to create, view and modify models.
• Manage Reports allows users to create and delete reports.
• Manage Resources lets users create, modify and delete resources in a folder. Resources are items such as shared schedules.
• Set Security for Individual Items is a task that permits the user to manage security for reports, folders, resources and shared data sources.
• View Data Sources lets the user view the properties of shared data sources.
• View Folders allows a user to view folders and folder properties.
• View Models authorizes users to view models and model properties.
• View Reports lets a user view reports in the folder hierarchy. This does not, however, allow users to run reports -- for that they require the Consume Reports task.
• View Resources lets a user view resources and resource properties in folders.
As with system-level roles, there are some built-in item-level roles you can use when assigning permissions in this area of SQL Server Reporting Services. If these roles aren't enough, you can build additional roles and assign users any combination of the item-level tasks we just looked at. The built-in item-level roles are as follows:
• Browser. This role is configured to allow users to view folders and reports and lets them subscribe to reports.
• Content Manager. These users can manage the content of the SSRS site, including managing folders, reports and resources.
• My Reports. Users are allowed to publish reports and manage reports, folders and resources in their My Reports folder.
• Publisher. This user can publish reports and manage reports, folders and resources on the report server.
• Report Builder. Report Builders have permission to view report definitions.
Now, let's get down to the details. To manage these roles, you have several options. Item-level security can be applied to a folder, report, data source or resource. To give SQL Server users permission to an item, you need to open that item and view its security properties. When you add a user, you also have to assign a user to a role for that item. In the case of folders, the role a user is assigned at the top-level folder will, by default, be inherited by other items inside that folder. You do have the ability to override security on a lower-level folder of item-level security.
At this point, the security of your SSRS server is entirely up to you. You can create different folders for each department and assign only employees in that department with access to that folder. Within each department folder, I like to create an additional folder for sensitive reports and further lock that folder down to the appropriate users. Take some time and really plan out how your reports will be placed on the server and how you want the security to look. When using SQL Server Reporting Services, there is no reason that all of your reports, regardless of sensitivity, can't be stored in a single report server.