I've inherited a bit of a security issue and would appreciate any insight.
The bottom line is that I have a user than can run one report from folder "X", but not the report next to it.
Here is the problem context. The names are changed to protect the innocent. Sharepoint is not involved.
The SSRS Home Folder has Security "Group or User" of "DomainX\SSRS_Browsers" with Role(s) "Browser"
"SSRS_Browsers" is an AD group. The user with the issue (DomainX\UnhappyUser) is a member of this group.
The user is able to navigate to folder "X" (one level below Home) and run Report "A" successfully. But, when they try to run report "B", they get:
"An error has occurred during report processing. (rsProcessingAborted) The permissions granted to user "DomainX\UnhappyUser" are insufficient for performing this operation. (rsAccessDenied)
The difference between report "A" that works, and report "B" that doesn't is that report "B" references a data set from a different data source.
Both reports reference DataSource1. The failing report additionally references DataSource2. The SSRS logs confirm this is where the problem is:
ERROR: Throwing Microsoft.ReportingServices.Diagnostics.Utilities.AccessDeniedException: , Microsoft.ReportingServices.Diagnostics.Utilities.AccessDeniedException: The permissions granted to user 'DomainX\UnhappyUser' are insufficient for performing this operation.;
processing!ReportServer_0-34!c58!07/16/2014-16:45:41:: e ERROR: An exception has occurred in data set 'DataSource2'. blah blah blah
Both data sources have "stored" credentials with the same AD user: "DomainX\SSRS_Reports". Both data sources reference the same instance of SQL Server. They do have different "Initial Catalog" values. (DatabaseA and DatabaseB). I can run both reports successfully, but I more authority.
"SSRS_Reports" is defined as a "Login" user under "Security" in SSMS at the instance level. The Server Role is "public".
DatabaseA (which is behind the data source that works) has Security->Users->DomainX\DataBaseA_Readers. This is an AD group, that includes has "SSRS_Reports" as a member.
DataBaseA_readers (in SQL Server, at the DatabaseA level) is a member of role db_datareader.
DataBaseB (which is behind the data source that fails) has Security->Users->DomainX\DataBaseB_Readers. This is also an AD group, that includes "SSRS_Reports" as a member.
DataBaseA_readers (in SQL Server, at the DatabaseB level) is a member of role db_datareader.
Does anyone have any insights as to where my problem may be?
Thank you. Sorry for the verbosity.
The bottom line is that I have a user than can run one report from folder "X", but not the report next to it.
Here is the problem context. The names are changed to protect the innocent. Sharepoint is not involved.
The SSRS Home Folder has Security "Group or User" of "DomainX\SSRS_Browsers" with Role(s) "Browser"
"SSRS_Browsers" is an AD group. The user with the issue (DomainX\UnhappyUser) is a member of this group.
The user is able to navigate to folder "X" (one level below Home) and run Report "A" successfully. But, when they try to run report "B", they get:
"An error has occurred during report processing. (rsProcessingAborted) The permissions granted to user "DomainX\UnhappyUser" are insufficient for performing this operation. (rsAccessDenied)
The difference between report "A" that works, and report "B" that doesn't is that report "B" references a data set from a different data source.
Both reports reference DataSource1. The failing report additionally references DataSource2. The SSRS logs confirm this is where the problem is:
ERROR: Throwing Microsoft.ReportingServices.Diagnostics.Utilities.AccessDeniedException: , Microsoft.ReportingServices.Diagnostics.Utilities.AccessDeniedException: The permissions granted to user 'DomainX\UnhappyUser' are insufficient for performing this operation.;
processing!ReportServer_0-34!c58!07/16/2014-16:45:41:: e ERROR: An exception has occurred in data set 'DataSource2'. blah blah blah
Both data sources have "stored" credentials with the same AD user: "DomainX\SSRS_Reports". Both data sources reference the same instance of SQL Server. They do have different "Initial Catalog" values. (DatabaseA and DatabaseB). I can run both reports successfully, but I more authority.
"SSRS_Reports" is defined as a "Login" user under "Security" in SSMS at the instance level. The Server Role is "public".
DatabaseA (which is behind the data source that works) has Security->Users->DomainX\DataBaseA_Readers. This is an AD group, that includes has "SSRS_Reports" as a member.
DataBaseA_readers (in SQL Server, at the DatabaseA level) is a member of role db_datareader.
DataBaseB (which is behind the data source that fails) has Security->Users->DomainX\DataBaseB_Readers. This is also an AD group, that includes "SSRS_Reports" as a member.
DataBaseA_readers (in SQL Server, at the DatabaseB level) is a member of role db_datareader.
Does anyone have any insights as to where my problem may be?
Thank you. Sorry for the verbosity.