Create Report Viewer Role in SCCM 2012 R2
Create Report Viewer Role in SCCM 2012 R2 In this post we will see the steps to create report viewer role in SCCM 2012 R2. Last week when I was working on SCCM 2012 R2, I got a request from two users that they need access to run the SCCM reports. I had heard about the RBA which provides Configuration Manager 2012 Administrators with a security model and the ability to assign and manage administrative permissions.
RBA is accomplished by using Security Roles, Security Scopes and Collections in Configuration Manager 2012. SCCM 2012 R2 comes with built in Security Roles and one such role is Read-only Analyst role. Initially I thought I would give users access to Read-only Analyst role but this role grants permissions to view all Configuration Manager objects and I didn’t want the users to view all Configuration Manager objects. In such situation you will need to create report viewer role in SCCM 2012 R2 and grant the users access to specific nodes.
Create Report Viewer Role in SCCM 2012 R2
For example a user Eric who doesn’t have access to read and run the reports, when he tries to access the reports he gets the error shown in the below screenshot. Now, if Eric needs access to read the reports then we need to grant him the access to it.
In the CM console navigate to Administration -> Security -> Security Roles. Right click on Read-only Analyst role and click Copy.
Specify the name for the new security role and add the description. Go through all the security settings and customize the permissions and set it to Run Report. Once you are done, click OK.
Note – After this step if the users with these permissions are able to run and open reports but if there is no data displayed then add the Read permission to each section where you specified just Run Report permission.
Under the security roles, we now see a new role has been created.
To add the user to this new role, right click on Administrative Users and click Add User or Group.
Click Browse and add the User/Group. Next add the security role that you created in the above step. Click OK.
Suggestion – Instead of adding single users to this role, my suggestion would be that you create a group in ADUC and add the users who need access to reports to that group. You can add the same group to the report viewer role.
I tried this exact report and users could only see All in the drop down for Application and also Collection but not the list of Applications and also in Collections. Why is this. What else i need to do.
This issue is resolved. I went through each and every role and enabled Read and also Run Report where ever it is available. That seems to fix the problem but probably not the right way to do it. It would be super nice to know exactly what security role should allow the access to view the reports.
Hi,
Thanks for the article. I tried this in my environment and user with report view only access cannot load collection or other values in the report. Is there something else needed to be configure for this?
user is still able to view all reports as he can view hyperlink to go back to home page and see all reports. I guess some more steps needed to restrict scope
I found the very beneficial. I would like to add, to view Application Deployment reports, I needed to also add read permissions to Application, Collection and Site. Lastly I added to View Asset Intelligence to “Software Titles”
also I found that you must give read permission to the collection section in the permissions list if the report have a Collection Variables 🙂
Thanks for the tutorial.
Did anyone manage to give access to Application Deployment reports only?
Can you have just the CM12 client viewer installed or do you need to install the complete System Center 2012 Configuration Manager Support Center tool , I know it is not that large in size, just wondering.