I want to create new role assignment in SSRS but the problem is I don't see Browser Role or some of built-in roles. Please help me to add built-in roles.
thanks
It seems that you accessed this page through the link 'Site Settings', this will take you to System level roles only that's why you see Sys Admin and Sys user only.
If you need to assign a group to other built in roles, this should be done at folder lever, so you may need to use the link "Folder Settings" found SQL Server Reporting Services ribbon.
Depending on your security model you can do this at the root folder level or at specific folder level.
Related
In vCenter 6.5 vSphere web client, if I logon as any user other than administrator#vsphere.local, I can't get to a few areas like Administration > Single sign on > Configuration.
I swear I did something to get my other user accounts access before, but if it's not just to give administrator access to 'global access', then I can't remember. vCenter died recently and I had to recreate it.
I'm trying to give otherUser#vsphere.local and an Active Directory group full access to do everything that administrator#vsphere.local can do.
Anyone know how to do this?
Note: I have the vCenter Server Appliance.
There's separate roles and permissions for vCenter and Appliance configurations (such as SSO). Make sure you're properly setting the permissions for those users/groups there as well.
Example of the SSO permissions: link
So, I've created a user in Plesk 11, and assigned him a role (custom role that a created for him) with only database access.
But this new user has access to all my databases, I want to restrict his access to a specific one.
How can I do this please ?
Thank you.
Unfortunately it's impossible(at least I don't know how) in scope of one subscription(even through direct url), it's possible to just bind this user to one exact subscription and move all other databases in another subscription.
You can add this as feature request to https://plesk.uservoice.com/forums/184549-feature-suggestions
Roles give administrative rights to users so Plesk is doing exactly what it was told to do.
Granting administrative DB permissions however does not create a mysql user but a panel user who can manage the databases of the subscriptions you gave him access to ("all" or individually selected).
If you see all databases in phpMyAdmin you are not logged in as this user but clicked a "webadmin" link from within plesk which uses a login-token for the matching db user created for this subscription/database or even the admin (Tools & Settings-> Applications & Databases -> Database Servers -> Servername -> Databases) -> "Webadmin" in "Tools" section.
If you see all databases of all subscriptions in Plesk Panel you selected "all" in the "access subscriptions" field when creating the user.
Defining a custom role as an approach for giving access to only one database does not make sense as there is no need for administrative rights (he only could delete his database).
If your intention was to create just a mysql user for a specific database in a specific subscription open subscriber's control panel when logged in as admin user, click "databases", select tab "users", click "add new database user" and select which databases this new user should have access to. done.
Unfortunately for me it is not clear
where your user sees all the databases
if "all" really is all of them (like system dbs, too)
if "access" means control panel or mysql/phpmyadmin
However, I hope i covered all contingencies.
I don't seem to have the Site settings option on my SSRS instance.
I have looked at numerous online suggestions including:
http://social.msdn.microsoft.com/Forums/en-US/sqlreportingservices/thread/bc47050a-a733-4a27-a55a-64159453d83e
When I try to access the report server url using IE as Run As Administrator, I get a login box everytime.
From reading numerous articles it sounds like I need to the System Administrator in SSRS to view the option but have no idea how to add a user to this system role. I have so far created New Role using Folder --> Settings for the everyone group and that has at least given me access to the reports and let me publish reports etc.
Other than reinstalling SSRS, any suggestions?
It sounds like you're folder/object level permission; you need to set the site permissions, too.
To do this you'll need to log in as a server administrator; by default only the BUILTIN\Administrators group have the System Administrator role in a Report Server.
Once you have logged into Report Manager as a server administrator, click on Site Settings -> Security and add whatever groups/users required:
See Granting Permissions on a Report Server.
At the site level, on the Site Settings page in Report Manager, create
a system-level role assignment for each user and group using the
predefined roles System User and System Administrator.
If you have UAC enabled you will need to run IE with Run As Administrator; if IE is prompting you for credentials you can suppress this by making sure User Authentication is set correctly in Internet Options -> Security Settings; set it to something like Automatic logon with current user name and password.
If u don't find site settings option ie home page displays only home,subscription & help,then u run IE as administrator .Go to internet options,tools,security,custom levels,under user authentication
make automatic login user & password yes
- restart the pc
u'll get the site settings,folder settings tab
We have the report server installed in the Domain Controller. In the report server, I removed all the roles assigned for BUILTIN\Users (except Browse), and left all the roles (including Content Manager) for BUILTIN\Administrators.
Now when I log in as the Domain Administrator, I cannot access the Security Settings page! I do not get the "Properties" tab in the Report Manager home page.
Since, the server I have installed the SSRS is our domain controller, it doesn't have any BUILTIN groups. However, the Domain Administrator is in the Domain\Administrators group and I was under the impression that will act as the BUILTIN\Administrators group in this case. But I was wrong.
Now since we cannot login as BUILTIN\Administrator, nobody has full access to the Report Manager.
I tried entering entries for ReportServer database PolicyUserRole table, so that I can assign content manager role to the BUILTIN\Users group. Although I added the entries successfully, the Report Manager still shows nothing when I login as a user to the website!
I need to do one of two things, Either
some how login as BUILTIN\Administrator to the Report Manager. - But cannot do this coz the Domain Controller doesn't have this group. Domain\Administrators group doesn't seem to be working
or
2.Somehow give ContentManager permission back to the BUILTIN\Users group. But I cannot do this using the ReportManager website OR the SQL Management Studio, as they do not recognize that my domain\Administrator has permission.
What nonnb said:
SSRS will allow any "local" administrators to the computer SSRS is running on to do administrative stuff.
You should be able to go to the domain controller, check local users and groups, add in your domain user as a local administrator to the computer. As far as i can remember, even the domain controller also has some local stuff. If not, it could be a discussion on if it is smart or recommended to install SSRS on a domain controller, but that is out of scope for this question :)
Well, I couldn't find anything :(... I ended up re-installing the reporting services.
I have a SQL Server 2005 database that I'm trying to access as a limited user account, using Windows authentication. I've got BUILTIN\Users added as a database user (before I did so, I couldn't even open the database). I'm working under the assumption that everybody is supposed to have permissions for the "public" role applied to them, so I didn't do anything with role assignment. Under tblFoo, I can use the SSMS Properties dialog (Permissions page) to add "public", then set explicit permissions. Among these is "Grant" for SELECT. But running
SELECT * from tblFoo;
as a limited (BUILTIN\Users) account gives me an error "Select permission denied on object 'tblFoo', database 'bar', schema 'dbo'". In the properties dialog, there's an "Effective Permissions button, but it's greyed out.
Further, I tried creating a non-priv account called "UserTest", adding that at the server level, then mapping it down to the "bar" database. This let me add UserTest to the "Users or Roles" list, which let me run "Effective Permissions" for the account. No permissions are listed at all -- this doesn't seem right. The account must be in public, and public grants (among other things) Select on tblFoo, so why doesn't the UserTest account show an effective permission? I feel like I'm going a bit crazy here.
ASIDE: I am aware that many people don't like using the "public" role to set permissions. This is just my tinkering time; in final design I'm sure we'll have several flexible (custom) database roles. I'm just trying to figure out the behavior I'm seeing, so please no "don't do that!" answers.
UPDATE: Apparently I know just enough SQL Server to be a danger to myself and others. In setting permissions (as I said, "among others"), I had DENY CONTROL. When I set this permission, I think I tried to look up what it did, had a vague idea, and decided on DENY. I cannot currently recall why this seemed the thing to do, but it would appear that that was the reason I was getting permission failures. So I'm updating my question: can anyone explain the "CONTROL" permission, as it pertains to tables?
You only need to have SELECT rights. In raw SQL (see the "script" icon/button in your dialogue box), it's GRANT SELECT ON dbo.tblFoo to public. This is the only permission needed to view the data,
In this case, the error message explicitly mentions "deny". "DENY" is a right in itself, so it mentions it,
If you had no rights, you'd get the message (very approximately) "tblFoo does not exist or you do not have rights"
"DENY CONTROL" is mentioned here. In this case, you denied all rights to the public role.
The grantee effectively has all
defined permissions on the securable
Assuming "UserTest" is a domain user account, connect as a member of the sysadmin role and run
EXEC MASTER.dbo.xp_logininfo 'Domain\UserTest', 'all'
(substituting your domain name for "Domain")
this will display the Windows groups etc. that the account is inheriting security permissions from and the level of access, e.g. you would expect to see something like:
account name type privilege mapped login name permission path
domain\usertest user user domain\usertest BUILTIN\Users
This will help troubleshoot where the account is inheriting permissions from, e.g. which Windows groups it is part of that have permissions to the database. If this all looks OK then I would follow your own advice and not mess with the public role.
Create a database role in your
database
Assign explicit permissions for that
role
Create a server login for your user
account
Open the server login, go to the
User Mapping section, click on the
database and select the database
role you created