In a recent tweet, S. D’Souza @sdsouza78 said, “It always confuses me which account/security context gets used where when running reports from within SCCM/SSRS environment.” I found his admission interesting and my first reaction was to say that SSRS always uses your account information, but the answer isn’t that simple! In ConfigMgr 2012 and later there is only one supported configuration (see Screenshot #4 below), so this blog post will talk about it and how to determine what security account is running the SSRS reports in your environment. By the way, with ConfigMgr 2007, it is a “free for all.” So, for ConfigMgr 2007 there is no easy answer.
Which Security Accounts Are Used within ConfigMgr SSRS?
Similar to my last post on the subject, How Does the ConfigMgr SSRS Report Execution Workflow Operate? I’m going to use the same scenario, so the workflow will be the same. This time, however, I will be looking at it from a security perspective.
- Morgan wants to execute a report called, Overall Missing Software Update Status by Classification, with the Home > ConfigMgr_CM6 > Enhanced Web Reporting > Software Updates folder on a server called CM12R2-CM6.
- CM12R2-CM6 is a ConfigMgr 2012 R2 Server with SQL 2012 and SSRS.
- Both SSRS and SQL are using the default instances.
- Morgan is NOT a ConfigMgr 2012 R2 administrator.
- All reports are Role-Based Administration (RBA) reports.
- My example will start with Morgan sitting at his Windows 7 desktop.
On the left-side of the flowchart (see below) is a summary of the SSRS report process. On the right-side is each account’s database permissions. After the flowchart, I’ll show you where to locate your configuration by pointing out where each piece of information is found.
The name of your SSRS database is found within the Reporting Services Configuration Manager executable. You can access this window from the Database node in the executable. Screenshot #2 shows this node.
This is the service account that SSRS is running under. And, this window can be found within the Reporting Services Configuration Manager executable. Also notice on the left-hand side that the Database node is showing as mentioned in Screenshot #1’s description.
The green arrow is pointing to the ConfigMgr database name which is being used by SSRS. The red arrow shows you which account is accessing the ConfigMgr database whenever reports are executed. Also, you can find this information by reviewing the reporting point’s properties in the ConfigMgr console.
Accordingly, you can find the one supported configuration by reviewing the SSRS data source properties found on the SSRS web interface under the main ConfigMgr_<your site code> folder.
Additionally, thank you S. D’Souza for the questions! I hope that this helps. Make sure to read tomorrow’s post about the SSRS report execution workflow from the ConfigMgr console.
If you have any questions about which security accounts are used within ConfigMgr SSRS report execution, feel free to contact me @GarthMJ. And, make sure to follow my posts on the Enhansoft blog site.