Create Report Viewer Role in SCCM 2012 R2 In this post we will see the steps to create report viewer role in SCCM 2012 R2. Last week when I was working on SCCM 2012 R2, I got a request from two users that they need access to run the SCCM reports. I had heard about the RBA which provides Configuration Manager 2012 Administrators with a security model and the ability to assign and manage administrative permissions.
RBA is accomplished by using Security Roles, Security Scopes and Collections in Configuration Manager 2012. SCCM 2012 R2 comes with built in Security Roles and one such role is Read-only Analyst role. Initially I thought I would give users access to Read-only Analyst role but this role grants permissions to view all Configuration Manager objects and I didn’t want the users to view all Configuration Manager objects. In such situation you will need to create report viewer role in SCCM 2012 R2 and grant the users access to specific nodes.
Create Report Viewer Role in SCCM 2012 R2
For example a user Eric who doesn’t have access to read and run the reports, when he tries to access the reports he gets the error shown in the below screenshot. Now, if Eric needs access to read the reports then we need to grant him the access to it.
In the CM console navigate to Administration -> Security -> Security Roles. Right click on Read-only Analyst role and click Copy.
Specify the name for the new security role and add the description. Go through all the security settings and customize the permissions and set it to Run Report. Once you are done, click OK.
Note – After this step if the users with these permissions are able to run and open reports but if there is no data displayed then add the Read permission to each section where you specified just Run Report permission.
Under the security roles, we now see a new role has been created.
To add the user to this new role, right click on Administrative Users and click Add User or Group.
Click Browse and add the User/Group. Next add the security role that you created in the above step. Click OK.
Suggestion – Instead of adding single users to this role, my suggestion would be that you create a group in ADUC and add the users who need access to reports to that group. You can add the same group to the report viewer role.