«

Mar 24

How to set permissions on custom SCCM reports

System Center Configuration ManagerFor one of my customers I was asked to set up a new SCCM site (SCCM2016 – 1610). They had one extra request, they wanted to use a custom report: Software Update Compliance Dashboard (a nice report from Gary Simmons).

After setting up the SCCM environment, I setup the Reporting Server and the reporting services point. When that was working I imported the custom report. So far, so good. The custom report was accessible for the SCCM Admins security group. As I didn’t want to give all users full SCCM admin permissions, I added the reporting security group on the Manage Folders section on my SSRS site. And it worked! Users from the reporting security group could access the site.

A few minutes later, when I was showing the report to my customer, I didn’t had access anymore. After checking the permissions on the SSRS site, I noticed that the security group was removed?! I tried the same actions, one more time, but again, same result.


After investigating the issue, I noticed that only my SCCM Full Admin users had access and those security groups weren’t removed while the reporting group got removed each time. Then it struck me, the permissions of SSRS are being managed by SCCM, which is kind of, ehm, obvious actually. But how to give access to a reporting security group, without giving them full admin permissions or the Read-only Analyst role which still holds to much permissions?

To solve this issue, I used a blogpost of Brian Mason. Microsoft “forgot” to add a report user security role in SCCM. Brian created a custom role which can be downloaded here.

Download the zip, unpack and navigate to: \Administration\Overview\Security\Security Roles
Right click Security Roles and click “Import Security Role”

Navigate to the unpacked xml-file. Select the xml-file and click open

A new custom role is added to the SCCM security roles

Now it’s possible to add a group and assign the Report Readers role.

After adding the security group with the Report Readers role, the group is also automatically added to SSRS site (can take a few minutes)

After the role being sychronized, users from the reporting security group are able to browse to the custom report!

 

Leave a Reply