x

Immediately propagate Windows permissions for SSRS

I manage my SSRS access through Windows Active Directory Groups, however when I add a new user to an existing group, the only way I have ever found of propagating this permission is to get the user to logoff and logon again.

Is there a way of 'forcing' Windows permissions to be refreshed?

more ▼

asked May 26, 2010 at 07:24 AM in Default

Kev Riley gravatar image

Kev Riley ♦♦
52.8k 47 49 76

(comments are locked)
10|1200 characters needed characters left

3 answers: sort voted first

I do security the same way and I used to have that problem but I've got this working now. I can't remember where I found this but if you let all users view all folders (with the View Folder role, not the Browser role so they can see the folder but only reports they have access to) then they can see a report as soon as you give them access.

Here's what you do:

Go into Site Settings | Configure item-level role definitions and create a new role (eg. View Folders Role). Tick the View Folders task.

Add the domain group(s) to the security of every folder in your new View Folders Role role.

more ▼

answered May 26, 2010 at 01:10 PM

David Wimbush gravatar image

David Wimbush
4.9k 28 30 33

David, tried that but the user still didn't see any new folders/reports until they logged off and on again - not sure if it matters but I don't have the folders in Home inheriting permissions from the parent folder
May 27, 2010 at 01:10 PM Kev Riley ♦♦
Sorry Kev, I was rushing and got it a bit wrong. You need to apply the View Folders role to every folder. It doesn't let them see any reports they don't have, just the folders.
May 28, 2010 at 04:59 AM David Wimbush
That's quite a few folders.....
May 28, 2010 at 08:55 AM Kev Riley ♦♦
Hmm. I only had about 20 so it was worth the effort. Can't think of anything else, I'm afraid.
May 28, 2010 at 09:18 AM David Wimbush
Don't get me wrong it's a good workaround, just not suitable entirely for my solution!
May 28, 2010 at 09:34 AM Kev Riley ♦♦
(comments are locked)
10|1200 characters needed characters left

Ahh think I might have found the answer. It appears not, according to an answer found here

The user receives his/her security token at logon. The security token contains information regarding the user's group membership and other rights.

If you add or remove a user to/from a particular group, then that user needs to receive a new token in order take advantage of the group membership. This process only occurs at logon. It cannot happen "on the fly."

more ▼

answered May 26, 2010 at 12:01 PM

Kev Riley gravatar image

Kev Riley ♦♦
52.8k 47 49 76

(comments are locked)
10|1200 characters needed characters left

Do you have more than one domain controller? It may be a requirement for replication to take place between the AD servers so that they are all up-to-date. Sometimes here we have to force replication manually to get user accounts to pick up new permissions. This isnt much better than the user logoff/logon though, its just a different person doing the work.

more ▼

answered May 26, 2010 at 07:41 AM

Fatherjack gravatar image

Fatherjack ♦♦
42.3k 75 78 108

Nope, just the one DC
May 26, 2010 at 08:03 AM Kev Riley ♦♦
(comments are locked)
10|1200 characters needed characters left
Your answer
toggle preview:

Up to 2 attachments (including images) can be used with a maximum of 524.3 kB each and 1.0 MB total.

New code box

There's a new way to format code on the site - the red speech bubble logo will automatically format T-SQL for you. The original code box is still there for XML, etc. More details here.

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

SQL Server Central

Need long-form SQL discussion? SQLserverCentral.com is the place.

Topics:

x547
x85
x12

asked: May 26, 2010 at 07:24 AM

Seen: 2537 times

Last Updated: May 26, 2010 at 07:24 AM