Setting up security for SSRS in SharePoint integrated mode can be a bit tricky, particularly if you want to set up some of your users to only be able to run reports, but not to be able to modify or change them. If you give the users the standard Contribute permission level in SharePoint, they have the ability to view and execute reports, but they can also delete existing reports or add new ones. If you assign only the Read permission level to the users, they won’t even be able to see the reports in the document library.
Based on my experiences with it, there seems to be a requirement that users have the Edit Items permission, even if you want them to only view reports. Till that’s resolved, this will get you to the minimal set of permissions needed. To enable the desired behavior, you have to create a new permission that has a specific set of privileges, including the View Item and Edit Item permissions. Note that not all of the permissions listed below are 100% required, but they are recommended for correct SharePoint operation.
To set it up so users can see and run reports, but not add or delete them, do the following:
- Go to the site that contains the Reports Library that you want to secure.
- Select Site Actions..Site Settings..Modify All Site Settings.
- Under Users and Permissions, select Advanced Permissions.
- Choose Settings..Permission Levels.
- Choose Add a Permission Level.
- Give the new permission level a name like "Report Reader", a description like "Minimal permissions to view reports.", and select the following permissions:
- List Permissions:
- Edit Items (hopefully, the requirement for this will be removed soon, as it gives the user the ability to edit the name and description of the report)
- View Items
- Open Items
- View Versions
- View Application Pages
- Site Permissions:
- View Pages
- Browse User Information
- Use Remote Interfaces
- Open
- List Permissions:
- Click Create to create the new permission level.
Now, you can create a new SharePoint group that uses the Report Reader permission level, or assign it directly to a user.
This seems to be either a bug in the product or a configuration problem on my part. However, if it’s a configuration problem, it’s occurring on all the SharePoint boxes I have access to, and I can’t find any information on how to fix it. If you do have any information on how to avoid giving the Edit Items permission, please post it here in the comments.