Creating the Reporting User role in ConfigMgr. 2012

Role based Security in ConfigMgr. 2012 is much different from ConfigMgr. 2007. The new version ships with predefined security roles like Administrator, Infrastructure Administrator etc. One role is missing though – the Reporting User role.

Create the Reporting User role

  1. Open the ConfigMgr. Console, navigate to the Administration workspace and select Security, Security Roles
  2. Select the Read-Only Analyst role and click Copy on the ribbon. This role comes very close to our reporting only role.


  3. Name the Role Reporting User. Go thru all the security settings and remove all settings except Run Report.


  4. Click OK and save the custom role.

Associate an Active Directory group with the new Reporting User role

  1. Create an Active Directory group called Reporting Users
  2. Open the ConfigMgr. Console, navigate to the Administration workspace and select Security, Administrative Users
  3. Click Add User or Group from the Ribbon.
  4. Click Browse, type the name of the Active Directory and click OK.
  5. In Assigned Security Roles click Add and select the Reporting User role.
  6. Notice the default collections that are selected in Security Scopes and Collections. All Systems and All Users will allow the Reporting User to see all objects in the reports.


  7. Click OK – the user role is now configured

What happens if the reporting user tries to log on to the ConfigMgr. console?

The end user will not be able to open the ConfigMgr. administrator console. They will get an access denied.


Comments (13):

  1. […] I recently ran into an issue that non-admin users were unable to create subscriptions on the Reporting Services Point. After installing the Reporting Services Point, I created a Reporting User security role based on Kent Agerlund’s blog: […]

  2. David says:


    Is there a way to restrict users to only see a subset of the Reports that are available in SCCM 2012? For instance, we have a team that we would like to restrict to only seeing the Software Metering reports.

    Is that possible?

  3. Matt says:

    Hey David,

    SCCM 2012 R2 supports applying the RBA security to individual reports



  4. Niki says:

    Problem with this though, is that the user with these permissions are able to run and open reports but they don’t show any data, as they don’t have read access to the data!

  5. Ahmad says:

    I am also having problems granting user access to run only one specific report.

    I’ve also followed the procedure listed here, but it does not work either.

    Can someone please elaborate the exact working method on how to grant access on a single report in such a way that users cannot see any other reports/folders in SSRS?

  6. evoges says:

    I also have the same issue as Niki… they have access to the reports in IE (don’t care about the console), but when they run a report, no data is returned.

    Has anyone figured out what settings need to be set, to get access to the data?

    • Frostygills says:

      Evoges and Niki, we had this issue too and have just figured out how to resolve. After lots of querying of the DB and SSRS, we found that we had to add the ‘Read’ permission to each section where we were giving the ‘Run Report’ permission. Otherwise, we had the SSRS header but, no data or error.

  7. ahmed says:

    We are using SCCM 2012 SP1 CU4. We have users group who have access to web reporting and for some reason their security role status is changing from “Active” to delete and they can no longer access web reports. However, they can still access SCCM console and function without any issue

  8. AL says:

    I believe I have a solution for the issues everyone is having. First, please note the date of Kent’s original post. He was probably using the RTM version of CM 2012 or something close to it. I’m sure things have changed a bit since then so his settings no longer work for more recent versions. Here’s what I did to get this working in my test lab which is running CM 2012 R2 CU2.

    1) Set everything up the way Kent describes above. This allows users to see reports on the SSRS website.

    2) Edit your Reporting Security Role and add the READ permission to each of the settings that also have the Run Report permission set. Frostygills mentioned this in a previous comment. This will give you the ability to see, select, and enter parameters in a report but does not necessarily let you see ALL of the data. Try stopping here and run a Hardware or Software Inventory report for a specific computer.

    3) The last step is to Edit your Reporting Security Role and add the READ RESOURCE permission in the COLLECTIONS section. This will allow the user to get data on a specific resource. Now try re-running your inventory report, but don’t just hit refresh on the actual report for the computer. You have to use your back button and return to the page where you enter/select the paramerter(s), refresh THAT page, enter your parameter(s), and you should now see data on the specific resource.

    • AL says:

      There is one caveat to implementing the additional steps noted above. Users with this role WILL be able to connect to your CM site using the console. Their access will of course be read only so it shouldn’t be a problem. But you never know, which is why I thought I should point that out.

  9. Adam says:

    Try importing this user role – worked great for me

  10. MChops says:

    Hello, what permission allows a user to create report subscription in the SCCM console?

  11. Hossam Almosallamy says:

    also I found that you must give read permission to the collection section in the permissions list if the report have a Collection Variables :)

Leave a Reply