Reporting Services provides an authentication subsystem and a role-based authorization model that determines access to the report server and to items that are managed by the report server.
- Authentication is based on Windows Authentication or a custom authentication module that you provide.
- Authorization is based on roles that you assign to users or groups in your organization.
Authentication and authorization models vary depending on whether the report server runs in native mode or SharePoint integrated mode. (SharePoint permissions determine who has access to the report server)
Reporting Services uses role-based security to control access to items that are stored on a report server. When you grant a user access to a report server, you typically do so by creating a pair of role assignments:
- At the site level
- On Home, which is the root node of the report server folder hierarchy
Security is inherited within the report server folder hierarchy. Creating role assignments at the site level and on the Home folder sets permission inheritance that extends to all items and operations on a report server.
You can override permission inheritance by defining security for individual items. Items that you can secure individually include:
- Report models
- Shared data sources
Other constructs, such as schedules and subscriptions, are not explicitly secured. Schedules and subscriptions operate within the security of a report.
Limit Permission to Shared data sources:
- Assign System User role to the user/group
- Assign Report Builder role (view reports, view folders, view models, Consume reports) on /Home
- Assign Browser role (view reports, view folders, view models) on Data Sources folder
- Assign My Reports role (view data sources) on shared data sources
Grant Admin permission to user
- Assign System Admin role to user
- Assign Content Manager (set security, view report, etc) on /Home
The report server database is an internal component, accessed only by the report server. The credentials and connection information you specify for the report server database are used exclusively by the report server. Users who request reports do not require databases permissions or a database login for the report server database.