SSRS Proxy Account

You have a few possibilities

1) the proxy account mentioned - the easiest way and user do not need to enter a password to da datasource when he runs an report

2) Asking for a password to the datasource when user runs a report.

3) Using user domain acount and database security set for his own account. - hereare three scenarios

• SSRS are running on the same machine SQL Server (Ideal solution as user is automatically authetificated and using his own rights on the data sources)
• SSRS are running on different machine from SQL server and Kerberos is set up in the network (Ideal solution as previous - the result is the same as previous)
• SSRS are running on different machine from SQL server and you have no Kerberos in the network - the user will not be able to authetificate to the data sources.

If you have no other solution than the proxy account, the I suggest to create a standalone role for this account and Create also separate Reporting schema. Then in this schema create stored procedures as sources for the reports and grant the role only access to the Reporting schema to execute the reporting stored procs.

No dbo. You should create a database role, ReportRunners or something, that yougrant specific rights needed to run reports. Should only have Select rights. DBO has rights to add users, objects, etc.. and bypasses security checks within the database. DBO is to the database what sysadmin is to the server.

Pavel provided some good options and 3 is the best one. How much work is it for the network admins to create a group in AD for reporting and then you can add that group to the server and put that AD group in the ReportRunners role in the database. Then all they need to do is add/remove users from the role. They are likely already doing something similar to grant the users rights to get to the Report Server anyway.