Creating the Reporting User role in ConfigMgr. 2012

Role based Security in ConfigMgr. 2012 is much different from ConfigMgr. 2007. The new version ships with predefined security roles like Administrator, Infrastructure Administrator etc. One role is missing though – the Reporting User role.

Create the Reporting User role

  1. Open the ConfigMgr. Console, navigate to the Administration workspace and select Security, Security Roles
  2. Select the Read-Only Analyst role and click Copy on the ribbon. This role comes very close to our reporting only role.


  3. Name the Role Reporting User. Go thru all the security settings and remove all settings except Run Report.


  4. Click OK and save the custom role.

Associate an Active Directory group with the new Reporting User role

  1. Create an Active Directory group called Reporting Users
  2. Open the ConfigMgr. Console, navigate to the Administration workspace and select Security, Administrative Users
  3. Click Add User or Group from the Ribbon.
  4. Click Browse, type the name of the Active Directory and click OK.
  5. In Assigned Security Roles click Add and select the Reporting User role.
  6. Notice the default collections that are selected in Security Scopes and Collections. All Systems and All Users will allow the Reporting User to see all objects in the reports.


  7. Click OK – the user role is now configured

What happens if the reporting user tries to log on to the ConfigMgr. console?

The end user will not be able to open the ConfigMgr. administrator console. They will get an access denied.


By |2012-02-24T00:11:38+00:00February 24th, 2012|Configuration Manager (SCCM), Security|13 Comments

About the Author:

Kent Agerlund
Microsoft Regional Director, Enterprise Mobility MVP. Microsoft Certified Trainer and Principal consultant. I have been working with Enterprise client management since 1992. Co-founder of System Center User Group Denmark in 2009. Certified MCITP: Enterprise Administrator, MCSA+Messaing, and much more. Member of: Microsoft Denmark System Center Partner Expert Team The Danish Technet Influencers program System Center Influencers Program.


  1. […] I recently ran into an issue that non-admin users were unable to create subscriptions on the Reporting Services Point. After installing the Reporting Services Point, I created a Reporting User security role based on Kent Agerlund’s blog: […]

  2. David September 23, 2013 at 6:17 - Reply


    Is there a way to restrict users to only see a subset of the Reports that are available in SCCM 2012? For instance, we have a team that we would like to restrict to only seeing the Software Metering reports.

    Is that possible?

  3. Matt September 25, 2013 at 2:46 - Reply

    Hey David,

    SCCM 2012 R2 supports applying the RBA security to individual reports



  4. Niki April 2, 2014 at 14:31 - Reply

    Problem with this though, is that the user with these permissions are able to run and open reports but they don’t show any data, as they don’t have read access to the data!

  5. Ahmad April 8, 2014 at 3:15 - Reply

    I am also having problems granting user access to run only one specific report.

    I’ve also followed the procedure listed here, but it does not work either.

    Can someone please elaborate the exact working method on how to grant access on a single report in such a way that users cannot see any other reports/folders in SSRS?

  6. evoges April 8, 2014 at 22:34 - Reply

    I also have the same issue as Niki… they have access to the reports in IE (don’t care about the console), but when they run a report, no data is returned.

    Has anyone figured out what settings need to be set, to get access to the data?

    • Frostygills April 17, 2014 at 10:32 - Reply

      Evoges and Niki, we had this issue too and have just figured out how to resolve. After lots of querying of the DB and SSRS, we found that we had to add the ‘Read’ permission to each section where we were giving the ‘Run Report’ permission. Otherwise, we had the SSRS header but, no data or error.

  7. ahmed June 11, 2014 at 22:07 - Reply

    We are using SCCM 2012 SP1 CU4. We have users group who have access to web reporting and for some reason their security role status is changing from “Active” to delete and they can no longer access web reports. However, they can still access SCCM console and function without any issue

  8. AL July 25, 2014 at 7:22 - Reply

    I believe I have a solution for the issues everyone is having. First, please note the date of Kent’s original post. He was probably using the RTM version of CM 2012 or something close to it. I’m sure things have changed a bit since then so his settings no longer work for more recent versions. Here’s what I did to get this working in my test lab which is running CM 2012 R2 CU2.

    1) Set everything up the way Kent describes above. This allows users to see reports on the SSRS website.

    2) Edit your Reporting Security Role and add the READ permission to each of the settings that also have the Run Report permission set. Frostygills mentioned this in a previous comment. This will give you the ability to see, select, and enter parameters in a report but does not necessarily let you see ALL of the data. Try stopping here and run a Hardware or Software Inventory report for a specific computer.

    3) The last step is to Edit your Reporting Security Role and add the READ RESOURCE permission in the COLLECTIONS section. This will allow the user to get data on a specific resource. Now try re-running your inventory report, but don’t just hit refresh on the actual report for the computer. You have to use your back button and return to the page where you enter/select the paramerter(s), refresh THAT page, enter your parameter(s), and you should now see data on the specific resource.

    • AL July 25, 2014 at 7:54 - Reply

      There is one caveat to implementing the additional steps noted above. Users with this role WILL be able to connect to your CM site using the console. Their access will of course be read only so it shouldn’t be a problem. But you never know, which is why I thought I should point that out.

  9. Adam December 9, 2014 at 17:00 - Reply

    Try importing this user role – worked great for me

  10. MChops January 13, 2016 at 14:35 - Reply

    Hello, what permission allows a user to create report subscription in the SCCM console?

  11. Hossam Almosallamy April 7, 2016 at 11:00 - Reply

    also I found that you must give read permission to the collection section in the permissions list if the report have a Collection Variables 🙂

Leave A Comment