I'm looking at the Properties tab of a report In the Report Manager. If I go
into 'New Role Assignment', I see a 'Group or user name:' textbox.
Do I understand this correctly?: Any name I enter for a new role must match
an existing SQL Server user or group? (If so I would expect some sort of
lookup/selection list, which is the main cause for my confusion.)No, this has nothing to do with SQL Server. RS is an asp.net application and
it uses roles to manage who gets to run a report, create subscriptions, etc.
Assuming that you are using integrated security (the default) then what you
are doing is assigning a user or group to a particular role. If you are in
the local administrators group for the server (not SQL Server, but the
server RS is running on) then you are automatically part of the Content
Manager role.
When you create a datasource then you deal with the credentials for
retrieving the data for the report.
So, two different things which is good. Remember, you can connect to many
different sources for the data for the reports and they can all be using
different credentials for retrieving that data.
Bruce Loehle-Conger
MVP SQL Server Reporting Services
"B. Chernick" <BChernick@.discussions.microsoft.com> wrote in message
news:18CD1BB0-50CD-422B-8A8B-2770B1B7CBFB@.microsoft.com...
> I'm looking at the Properties tab of a report In the Report Manager. If I
> go
> into 'New Role Assignment', I see a 'Group or user name:' textbox.
> Do I understand this correctly?: Any name I enter for a new role must
> match
> an existing SQL Server user or group? (If so I would expect some sort of
> lookup/selection list, which is the main cause for my confusion.)|||Ok, admittedly I am not a security expert. I should have said Windows, not
SQL Server. Let me rephrase the question.
Are you saying in the New Role Assignment window, the name I enter in the
'Group or user name' box must match exactly an existing Windows group or
user?
(And again I say that I am rather confused that it is a textbox rather than
a selection list.)
"Bruce L-C [MVP]" wrote:
> No, this has nothing to do with SQL Server. RS is an asp.net application and
> it uses roles to manage who gets to run a report, create subscriptions, etc.
> Assuming that you are using integrated security (the default) then what you
> are doing is assigning a user or group to a particular role. If you are in
> the local administrators group for the server (not SQL Server, but the
> server RS is running on) then you are automatically part of the Content
> Manager role.
> When you create a datasource then you deal with the credentials for
> retrieving the data for the report.
> So, two different things which is good. Remember, you can connect to many
> different sources for the data for the reports and they can all be using
> different credentials for retrieving that data.
>
> --
> Bruce Loehle-Conger
> MVP SQL Server Reporting Services
>
> "B. Chernick" <BChernick@.discussions.microsoft.com> wrote in message
> news:18CD1BB0-50CD-422B-8A8B-2770B1B7CBFB@.microsoft.com...
> > I'm looking at the Properties tab of a report In the Report Manager. If I
> > go
> > into 'New Role Assignment', I see a 'Group or user name:' textbox.
> >
> > Do I understand this correctly?: Any name I enter for a new role must
> > match
> > an existing SQL Server user or group? (If so I would expect some sort of
> > lookup/selection list, which is the main cause for my confusion.)
>
>|||Yes, you are mapping a Windows user/group to a RS role. What I do is I
create a local group on the box specifically for this. I add individual
users and domain groups to that local group. I then assign that group to a
role.
Bruce Loehle-Conger
MVP SQL Server Reporting Services
"B. Chernick" <BChernick@.discussions.microsoft.com> wrote in message
news:6C2052BC-4ACE-4D8F-84A5-A9316D86F0B7@.microsoft.com...
> Ok, admittedly I am not a security expert. I should have said Windows,
> not
> SQL Server. Let me rephrase the question.
> Are you saying in the New Role Assignment window, the name I enter in the
> 'Group or user name' box must match exactly an existing Windows group or
> user?
> (And again I say that I am rather confused that it is a textbox rather
> than
> a selection list.)
> "Bruce L-C [MVP]" wrote:
>> No, this has nothing to do with SQL Server. RS is an asp.net application
>> and
>> it uses roles to manage who gets to run a report, create subscriptions,
>> etc.
>> Assuming that you are using integrated security (the default) then what
>> you
>> are doing is assigning a user or group to a particular role. If you are
>> in
>> the local administrators group for the server (not SQL Server, but the
>> server RS is running on) then you are automatically part of the Content
>> Manager role.
>> When you create a datasource then you deal with the credentials for
>> retrieving the data for the report.
>> So, two different things which is good. Remember, you can connect to many
>> different sources for the data for the reports and they can all be using
>> different credentials for retrieving that data.
>>
>> --
>> Bruce Loehle-Conger
>> MVP SQL Server Reporting Services
>>
>> "B. Chernick" <BChernick@.discussions.microsoft.com> wrote in message
>> news:18CD1BB0-50CD-422B-8A8B-2770B1B7CBFB@.microsoft.com...
>> > I'm looking at the Properties tab of a report In the Report Manager.
>> > If I
>> > go
>> > into 'New Role Assignment', I see a 'Group or user name:' textbox.
>> >
>> > Do I understand this correctly?: Any name I enter for a new role must
>> > match
>> > an existing SQL Server user or group? (If so I would expect some sort
>> > of
>> > lookup/selection list, which is the main cause for my confusion.)
>>|||I'm still having problems. I was under the impression that access was
controlled solely by RS itself. I know you suggested created a dedicated
group. However, I started small, with a single network ID that had
absolutely no presence on this particular machine.
I created a server role consisting of all the 'View' options. I started by
assigning the test id this 'read-only' role at the site level and then worked
down to the report. (It appears that I have to assign security at all the
levels, site-folder-report, before the user can see the actual report. Is
that right?)
However, once the Test ID finally had access to the report and started it, I
got the error message: An error has occured during report processing.
Cannot create a connection to data source 'DataSource11'. For more
information about this error navigate to the report server on the local
server machine, or enable remote errors.'
I really can't find anything in the error logs that seems relevant and I'm
not sure I understand some of the other references to this problem on this
group. Any suggestions?
"Bruce L-C [MVP]" wrote:
> Yes, you are mapping a Windows user/group to a RS role. What I do is I
> create a local group on the box specifically for this. I add individual
> users and domain groups to that local group. I then assign that group to a
> role.
>
> --
> Bruce Loehle-Conger
> MVP SQL Server Reporting Services
> "B. Chernick" <BChernick@.discussions.microsoft.com> wrote in message
> news:6C2052BC-4ACE-4D8F-84A5-A9316D86F0B7@.microsoft.com...
> > Ok, admittedly I am not a security expert. I should have said Windows,
> > not
> > SQL Server. Let me rephrase the question.
> >
> > Are you saying in the New Role Assignment window, the name I enter in the
> > 'Group or user name' box must match exactly an existing Windows group or
> > user?
> >
> > (And again I say that I am rather confused that it is a textbox rather
> > than
> > a selection list.)
> >
> > "Bruce L-C [MVP]" wrote:
> >
> >> No, this has nothing to do with SQL Server. RS is an asp.net application
> >> and
> >> it uses roles to manage who gets to run a report, create subscriptions,
> >> etc.
> >> Assuming that you are using integrated security (the default) then what
> >> you
> >> are doing is assigning a user or group to a particular role. If you are
> >> in
> >> the local administrators group for the server (not SQL Server, but the
> >> server RS is running on) then you are automatically part of the Content
> >> Manager role.
> >>
> >> When you create a datasource then you deal with the credentials for
> >> retrieving the data for the report.
> >>
> >> So, two different things which is good. Remember, you can connect to many
> >> different sources for the data for the reports and they can all be using
> >> different credentials for retrieving that data.
> >>
> >>
> >> --
> >> Bruce Loehle-Conger
> >> MVP SQL Server Reporting Services
> >>
> >>
> >> "B. Chernick" <BChernick@.discussions.microsoft.com> wrote in message
> >> news:18CD1BB0-50CD-422B-8A8B-2770B1B7CBFB@.microsoft.com...
> >> > I'm looking at the Properties tab of a report In the Report Manager.
> >> > If I
> >> > go
> >> > into 'New Role Assignment', I see a 'Group or user name:' textbox.
> >> >
> >> > Do I understand this correctly?: Any name I enter for a new role must
> >> > match
> >> > an existing SQL Server user or group? (If so I would expect some sort
> >> > of
> >> > lookup/selection list, which is the main cause for my confusion.)
> >>
> >>
> >>
>
>|||I am experiencing the same issue as B.Chernick.
Just as B.Chernick explains, I have also created a Test user that
access the report, but gets errors during processing.
However, I noticed that if I gave my Test user domain adminstrator
privileges (which is not possible in the production environment) I am
able to view the report without any difficulty. This leads me to
believe that there is a permissions issue someplace along the line.
Any ideas?
No comments:
Post a Comment