This post will assume that you work in IT OPS and have access and permission to configure Active Directory. I am using AWS Microsoft Active Directory Enterprise (MSDA) in this example.
While there are many ways to configure access and permissions in SSRS, most DBAs will suggest that using AD GROUPS is the best practice and certainly preferred over having to manage individual accounts. My company has over 1000 employees. I don’t wish to even imagine the headache that would create trying to manage permissions for each user.
For all of my AWS accounts and company locations, I have set up folders that permission ROLES can be configured on. The reports that each GROUP may access are then configured there.
In this example you may see some of these GROUPS defined and used. Each company/location may be different.
| GROUP | ACCESS | ROLE PERMISSION |
| BUILTIN\Administrators (RDS) | Everything | All |
| MyDOMAIN\SsrsItAdmin | Everything | All |
| MyDOMAIN\SsrsReportManager | All folders except ItAdmin | All |
| MyDOMAIN\SsrsReadAll | All folders except ItAdmin 7 Test | Browser (Read only) |
| MyDOMAIN\SsrsTest | Home & Test only | All on Test folder only |
In AWS RDS SSRS the MSAD Groups that you create must be granted permission to access SSRS.
You can do that by using SSMS and this code snippet.
USE msdb;
exec msdb.dbo.rds_msbi_task
@task_type='SSRS_GRANT_PORTAL_PERMISSION',
@ssrs_group_or_username=N'MyDomain\SsrsMyGroup’;
-- View task status
exec msdb.dbo.rds_task_status;
Add A User to SSRS Group in MS Active Directory
In this example I will add a user to the SsrsReportsReadAll group.
- Open GROUPS
- Select the SsrsReportsReadAll group.
- Click the MEMBERS tab.
- Click the ADD button.
- Go to ADVANCED option.
- Search for the USER.
- Double click on desired user and click OK.
Configure Security on the SSRS Folder
NEXT, I will add the new security group to the HOME folder. This will propagate the permissions to all the sub folders. Later I will REMOVE ROLE permissions from folders that the GROUP should not access.
On the SECURITY TAB of the MANAGE section, I will select ADD GROUP OR USER.
Next, I will enter my DOMAIN and GROUP to add, select the ROLE permissions I need, and click OK.
I will need to find the FOLDERS where the Group’s users SHOULD NOT have access and remove the GROUP from those folder. Or change the permission to BROWSE only (or whatever may be required.)
The GROUP (and its USERS) should now be set to access the reports.
See my next post on WORKSPACE SET UP for AWS RDS SSRS ACCESS, for information about what an individual user may need to setup for access there.