November 9, 2010 at 10:11 am
I have not been able to find any documentation on what file system permissions are required for the Reporting services file directory (c:\program Files\Microsoft SQL Server\MSRS10.MSSQLSERVER).
I am being required to restrict the permissions by our Security requirements - it requires only administrators, DBA's, System and the SQL Service Accounts to have permissions, and Explicitly requires removal of the builtin users group. However, if I remove the builtin users group from the directory permissons, our users can not access the reporting services (access denied). I need to determine the most restrictive permissions I can user and still keep reporting services functioning for our users.
Thank you.
Duane Rezac
November 9, 2010 at 1:13 pm
Create Active Directory Security Groups and add the users to those security groups. Then apply appropriate permissions in reporting services to those security groups.
November 10, 2010 at 5:16 am
I tried that after I had made the original post. We are using AD domain Local groups to control access to report folders in Reporting Services. I created a new AD group for Reporting service users, added all of our AD groups that control report access to the new group, gave the new group the same permissions as the builtin users group to the reporting services directory, removed the builtin users group, and they could not access reporting services until I re-added the builtin users group.
As part of my diagnostics, I ran procmon and watched the reporting services directory for file access - only the Reporting services service account and the system account were accessing the file system.
Duane Rezac
November 10, 2010 at 7:40 am
I tried the groups again in order to monitor the file system for access failures, and this time it worked with no problems. The only thing I can come up with is that the new group may not have been fully replicated to all of the DC's when i did my first test.
So to sum it up, the solution appears to be to remove the builtin users group, create a new AD group that contains the users that need access to reporting services, and give the new group Read, Read & Execute and List Folder Contents permissions.
However, I'm still puzzled why this is needed, as I could not find any access to the file system other that by the SQL Reporting service account and the local system account.
Could the reporting services be using impersonation?
Duane Rezac
Viewing 4 posts - 1 through 3 (of 3 total)
You must be logged in to reply to this topic. Login to reply