Role based administration is used to secure the access that is needed to administer SCCM. You also secure access to the objects that you manage, like collections, deployments, and sites but lacks a couple of roles to be complete. For example, there’s no built-in role for report administration or report viewer.

We already covered the report viewer role in a previous post. This role give access to your users to consult and run SCCM Reports on the SSRS website. But what if you want to give access to an administrator to create, modify and upload reports without giving them access to the SCCM console ? This post will describe how to create SCCM Report Administrator Role which will fulfill this need.

How to Create SCCM Report Administrator Role

  • The first step is to create a Report Users role
  • Once created, go to Administration \ Security \ Security Roles
  • Right-click Report Users and select Copy

SCCM Report Administrator Role

  • In Name, type Report Administrator and add a brief description
  • On the lower pane, browse to each class where you have Run Report right and add Modify Report

SCCM Report Administrator Role

  • Ensure that the Site class has Read, Modify Report and Modify permissions and click OK

SCCM Report Administrator Role

Assign the Security Role to an Administrative User

We now need to assign the Report Administrator security role to a user.

  • Go to Administration \ Security \ Administrative Users
  • Right-click Administrative User and select Add User or Group

SCCM Report Administrator Role

  • In the Add User or Group window, click Browse and select your user
  • Click Add, select the Report Administrator Role that you just created

SCCM Report Administrator Role

  • In the lower pane select All instances of the objects that are related to the assigned security roles
  • Click Ok

You have now assign your user or group to your report administrator role in SCCM.

SQL Server Reporting Services Permission

There’s one last step to complete. We need to give access to this user on the SSRS Website. SCCM overwrites permission modification by using the role-based assignments stored in the site database.

As per Technet :

Configuration Manager connects to Reporting Services and sets the permissions for users on the Configuration Manager and Reporting Services root folders and specific report folders. After the initial installation of the reporting services point, Configuration Manager connects to Reporting Services in a 10-minute interval to verify that the user rights configured on the report folders are the associated rights that are set for Configuration Manager users. When users are added or user rights are modified on the report folder by using Reporting Services Report Manager, Configuration Manager overwrites those changes by using the role-based assignments stored in the site database. Configuration Manager also removes users that do not have Reporting rights in Configuration Manager.

It’s not possible just to add your user with the Config Report Administrators role because it will be reset in 10 minutes.

SCCM Report Administrator Role

  • To fix this, you must click Site Settings in the upper right corner

SCCM Report Administrator Role

  • Click Security and New Role Assignment

SCCM Report Administrator Role

  • Enter your user or group name without your domain
  • Select System User and click OK
    • This role give access to view system properties, shared schedules, and allow use of Report Builder or other clients that execute report definitions

SCCM Report Administrator Role

Once set, you can validate that your user has been given the rights.

  • Go to the root of your SQL Reporting Service Website, click you ConfigMgr site and select Security

SCCM Report Administrator Role

  • Validate that your user has been added. Those permission won’t be overwrite. All set !

SCCM Report Administrator Role

Comments (3)

Peter Bajurny

02.14.2019 AT 12:31 PM
What's the reasoning for Modify on the Site node? That gives the user the ability to change all your site settings, including Site components, hierarchy settings, and modify all the servers and site systems roles. Also I'm not sure why you're adding a system role to the user. Based on the quoted text from Microsoft, ConfigMgr will create that user with the relevant permissions (which, since you've included Modify Report, includes ConfigMgr Report Administrators) for all the relevant folders.

Sujith

09.08.2018 AT 06:14 AM
Hi Benoit, Well done. It is a very good article. I have a query regarding implementing RBAC to a user for only to view the reports regarding software updates compliance for specific collections. Is it possible? Then how?. Rest of the console tabs and views not needed. Thank you

Karim

11.30.2017 AT 10:23 AM
Hello, Thanks you a lot for this article. I would like to know if it is possible to restrict the modification, creation, deletion ... to a specific folder of the reports. It bothers me to give full access to all reports, to copy them OK. But restrict editing and creation to a single folder. Thanks in advance for your assistance and have a nice day.