Endpoint Insights
Grant Permission to One MEMCM / SCCM SSRS Report
Garth JonesIn Microsoft Endpoint Configuration Manager (MEMCM / SCCM) 2007 it is possible to grant permission to a single SCCM SSRS report by simply updating the permissions in the web interface. However, in later versions of MEMCM / SCCM you need to perform a few more steps within the SCCM console in order to grant non-administrators access to a single SSRS report.
Originally I wrote a blog post about this topic back in 2013 that applied to MEMCM / SCCM 2012, but it’s time for an update. Why? Those steps WON’T work for SCCM 2012 R2 or SCCM Current Branch because you need to take further action. If you were to compare the old blog post with this one, you would see a lot of similarities between them, but with the introduction of Role-Based Administration (RBA) in SCCM 2012 R2 you now need to grant more rights than simply, “Site Read,” to your report reader AD security group. You must also grant rights to the report’s inventoried items.
Security Rights
It is best practice to use an AD security group when granting permission to reports. If you don’t want to grant rights to an AD security group, you would follow the same basic steps as below in order to provide access to a single user.
In this example I will show you how to grant AD security group access to a report called, Computers with low free disk space (less than specified % free). The additional security rights that are required by the report reader’s AD security group are:
–Read and Read Resource for Collection.
–Read for Inventory Reports.
Importing the MEMCM / SCCM Security Role
First, start by creating a security role. I will call it, “Site Read.” This role only has rights to read from the site server. To make life easier, I created this SCCM security role and you can use this link to download and import it. Even though the URL says, “cm12,” it will work with both Current Branch and SCCM 2012 R2.
By the way, if you already have this role then skip this section and go to the next one, Copy the MEMCM / SCCM Security Role.
After downloading the XML file, from the SCCM console, select Administration | Overview | Security and then right-click on Security Roles and select Import Security Role.
Locate the XML file that you downloaded and click on the Open button.
The Security Role is created!
Copy the MEMCM / SCCM Security Role
After you import the base Site Read security role it is time to customize it. Before you edit it, though, I recommend making a copy of it first so that the next time you need to create a security role you don’t have to undo all of your changes. In this example, I will call the new security role: % Free Disk Space.
Right-click on the Site Read security role and select Copy.
Enter the new security role’s name and description. Next, expand Collection and set Read to Yes, and Read Resource to Yes. Scroll down the list to Inventory Reports and set Read to Yes. Finally, click on the OK button.
Applying the MEMCM / SCCM Security Role to an AD Security Group
In the SCCM console under the Administration node expand Security, click on Administrative Users, and then, in the top left of the console, click on the Add User or Group button.
Click on Browse…
Select the AD User or Group that you are assigning rights to before clicking OK.
Click Add…
Select the MEMCM / SCCM security role that you customized in the previous section and then click on the OK button. In my case the security role is called, % Free Disk Space.
Click OK to complete the process of assigning rights to the AD security group.
Grant Permission to a Single MEMCM / SCCM SSRS Report
In the SCCM console start in the Monitoring node. Expand Reporting and then click on Reports. In the search bar enter the filter string (disk) to locate the report, Computers with low free disk space (less than specified % free). Select the report, right-click on it and then select Properties.
On the Computers with low free disk space (less than specified % free) properties page, select the Security tab, de-select Inheriting rights from parent object and then click on Add…
In the User name field enter the name of the AD security group and then select ConfigMgr Report Users. Click OK.
Finally, click on the OK button to complete this process.
Now you are done! The user will have access to the selected report via the AD security group. SCCM report permissions are updated every 10-minutes, so please wait at least 10-minutes before sending the user a link to the report. This will avoid any unnecessary Service Desk calls.
Special Notes
-In order for the user to access the report you will need to provide them with a direct link to the report because they will NOT be able to see the folder with the report in it. In case you’re curious, this is what the URL http://cm-ssrs-cb1/Reports/Pages/Report.aspx?ItemPath=%2fConfigMgr_CB1%2fHardware+-+Disk%2fComputers+with+low+free+disk+space+(less+than+specified+%25+free) in my example looks like. By the way, it will only work within my environment.
-If the user tries to drill-down to other reports they will see a similar error message: The permissions granted to user ‘GARTEK\morgan’ are insufficient for performing this operation. (rsAccessDenied)
If you have any questions about how to grant permission to a single SCCM SSRS report, please feel free to contact me @GarthMJ. Do you have an idea for a blog post about a SCCM query or reporting topic? Let me know. Your idea might become the focus of my next blog post!
Additional Resources
Learn more about how to successfully use MEMCM / SCCM through our many posts dedicated to Systems Management:
MEMCM / SCCM Overview
External Integration
Inventory
- How to Collect Free Disk Space Data in SCCM
- Setup, Configure, and Use SCCM’s Asset Intelligence
- Creating a Subselect Query for WQL
Reporting
- How to Install a SCCM Reporting Services Point
- Dynamic Images to SSRS Report for SCCM
- Editing SCCM Reports with Report Builder
Scripting
Security/Permissions
Software
Troubleshooting
