Role based Security in ConfigMgr. 2012 is much different from ConfigMgr. 2007. The new version ships with predefined security roles like Administrator, Infrastructure Administrator etc. One role is missing though – the Reporting User role.
Create the Reporting User role
- Open the ConfigMgr. Console, navigate to the Administration workspace and select Security, Security Roles
- Select the Read-Only Analyst role and click Copy on the ribbon. This role comes very close to our reporting only role.
- Name the Role Reporting User. Go thru all the security settings and remove all settings except Run Report.
- Click OK and save the custom role.
Associate an Active Directory group with the new Reporting User role
- Create an Active Directory group called Reporting Users
- Open the ConfigMgr. Console, navigate to the Administration workspace and select Security, Administrative Users
- Click Add User or Group from the Ribbon.
- Click Browse, type the name of the Active Directory and click OK.
- In Assigned Security Roles click Add and select the Reporting User role.
- Notice the default collections that are selected in Security Scopes and Collections. All Systems and All Users will allow the Reporting User to see all objects in the reports.
- Click OK – the user role is now configured
What happens if the reporting user tries to log on to the ConfigMgr. console?
The end user will not be able to open the ConfigMgr. administrator console. They will get an access denied.