Immediately propagate Windows permissions for SSRS

I manage my SSRS access through Windows Active Directory Groups, however when I add a new user to an existing group, the only way I have ever found of propagating this permission is to get the user to logoff and logon again.

Is there a way of 'forcing' Windows permissions to be refreshed?

asked May 26 '10 at 07:24 AM in Default

Kev Riley ♦♦
46k ● 38 ● 43 ● 69

(comments are locked)

3 answers:

I do security the same way and I used to have that problem but I've got this working now. I can't remember where I found this but if you let all users view all folders (with the View Folder role, not the Browser role so they can see the folder but only reports they have access to) then they can see a report as soon as you give them access.

Here's what you do:

Go into Site Settings | Configure item-level role definitions and create a new role (eg. View Folders Role). Tick the View Folders task.

Add the domain group(s) to the security of every folder in your new View Folders Role role.

answered May 26 '10 at 01:10 PM

David Wimbush
4.2k ● 25 ● 29 ● 31

David, tried that but the user still didn't see any new folders/reports until they logged off and on again - not sure if it matters but I don't have the folders in Home inheriting permissions from the parent folder

May 27 '10 at 01:10 PM Kev Riley ♦♦

Sorry Kev, I was rushing and got it a bit wrong. You need to apply the View Folders role to every folder. It doesn't let them see any reports they don't have, just the folders.

May 28 '10 at 04:59 AM David Wimbush

That's quite a few folders.....

May 28 '10 at 08:55 AM Kev Riley ♦♦

Hmm. I only had about 20 so it was worth the effort. Can't think of anything else, I'm afraid.

May 28 '10 at 09:18 AM David Wimbush

Don't get me wrong it's a good workaround, just not suitable entirely for my solution!

May 28 '10 at 09:34 AM Kev Riley ♦♦

(comments are locked)

Ahh think I might have found the answer. It appears not, according to an answer found here

The user receives his/her security token at logon. The security token contains information regarding the user's group membership and other rights.

If you add or remove a user to/from a particular group, then that user needs to receive a new token in order take advantage of the group membership. This process only occurs at logon. It cannot happen "on the fly."

answered May 26 '10 at 12:01 PM

Kev Riley ♦♦
46k ● 38 ● 43 ● 69

(comments are locked)

Do you have more than one domain controller? It may be a requirement for replication to take place between the AD servers so that they are all up-to-date. Sometimes here we have to force replication manually to get user accounts to pick up new permissions. This isnt much better than the user logoff/logon though, its just a different person doing the work.

answered May 26 '10 at 07:41 AM