View Permissions for Reporting Services in SharePoint Integrated Mode

Setting up security for SSRS in SharePoint integrated mode can be a bit tricky, particularly if you want to set up some of your users to only be able to run reports, but not to be able to modify or change them. If you give the users the standard Contribute permission level in SharePoint, they have the ability to view and execute reports, but they can also delete existing reports or add new ones. If you assign only the Read permission level to the users, they won’t even be able to see the reports in the document library.

Based on my experiences with it, there seems to be a requirement that users have the Edit Items permission, even if you want them to only view reports.  Till that’s resolved, this will get you to the minimal set of permissions needed. To enable the desired behavior, you have to create a new permission that has a specific set of privileges, including the View Item and Edit Item permissions. Note that not all of the permissions listed below are 100% required, but they are recommended for correct SharePoint operation.

To set it up so users can see and run reports, but not add or delete them, do the following:

  1. Go to the site that contains the Reports Library that you want to secure.
  2. Select Site Actions..Site Settings..Modify All Site Settings.
  3. Under Users and Permissions, select Advanced Permissions.
  4. Choose Settings..Permission Levels.
  5. Choose Add a Permission Level.
  6. Give the new permission level a name like "Report Reader", a description like "Minimal permissions to view reports.", and select the following permissions:
    1. List Permissions:
      1. Edit Items (hopefully, the requirement for this will be removed soon, as it gives the user the ability to edit the name and description of the report)
      2. View Items
      3. Open Items
      4. View Versions
      5. View Application Pages
    2. Site Permissions:
      1. View Pages
      2. Browse User Information
      3. Use Remote Interfaces
      4. Open
  7. Click Create to create the new permission level.

Now, you can create a new SharePoint group that uses the Report Reader permission level, or assign it directly to a user.

This seems to be either a bug in the product or a configuration problem on my part. However, if it’s a configuration problem, it’s occurring on all the SharePoint boxes I have access to, and I can’t find any information on how to fix it. If you do have any information on how to avoid giving the Edit Items permission, please post it here in the comments.

8 Comments

  1. http:// says:

    We had the same problem a while back. We were able to get around it by using custom connections for each report instead of shared connections. After that, we were able to get by with using the “Restricted Read” permission level.

  2. http:// says:

    Todd, Hopefully you might see this. If you do I would be very interested in how you set the report parameters by user id. I have been looking for this type of solution without luck. Please email me at ken.kolk@medcor.com

  3. Dan English says:

    You simply need to ‘Publish a Major Version’ of the item in SharePoint with the context menu in the library. Once you do this the users no longer need the edit capabilities and you can follow the security here – http://msdn.microsoft.com/en-us/library/bb283148.aspx. If you don’t publish a major version then the only way the end-users will see the items is if they have the edit items permission which is something that you definitely do not want to provide them.

    • jwelch says:

      You know, I’d forgotten all about this post. Dan, you are correct (as usual), the solution was to publish a major version (or turn off minor versions, which is what we ended up doing in our scenario).

  4. Roma says:

    Dan,

    Thanks a lot I totally missed that point and was giving contribute permissions.

  5. Chris says:

    Hi,

    My reports are published as major versions, but without ‘Browse User Information’, and ‘Open’ permission level, my users get Access Denied when attempting to view them. Unfortunately, giving this access also allows the users to download the definition file (the rdl), and access My Site, which I don’t want.

    There must be a way I can provide the users with access to view Reports in the Report Library with only ‘View’ permissions?

    I have turned off minor versioning and it hasn’t helped…

    Chris

  6. Chris says:

    After so much searching and reading, it takes for me to post a message and then it hits me.

    There is a subtle but important difference between ‘Read Only’ access and ‘View Only’ access. Read only access will allow the user to view and download, but view only will not allow them to download or modify. This may not make a difference with a Word document where you can right-click and save anyway, but it does with an RDL that has to be viewed within the context of the Report Viewer.

  7. Rod says:

    I had this problem and it turns out that you must publish a major version, i.e. 1.0, 2.0 for a SharePoint user with Read permissions to view and open reports.

Leave a Reply to Rod