SQL Server permissions that are set by the Configuration Wizard

Here are the SQL server permissions that report services grants to each user type, for your information. The Report Services Configuration wizard sets these permissions automatically.

SQL Server permissions set by the Report Services Configuration wizard

User type

Required SQL Server permissions

report services account

to run the SQL Server Reporting Service

Snapshot Service (predefined role)

SQL Server service account

to run SQL Server

If you deploy to an existing SQL Server instance, the configuration wizard makes no changes to the SQL Server service account.

If you deploy to a new SQL Server instance:

--If the operating system is Windows 2008 and you’re using a SQL Server version later than 2012, virtual accounts are used for various SQL Server components, as follows:

SQL Server engine: NT SERVICE\MSSQL$<InstanceName>

SQL Server Agent: NT SERVICE\SQLAgent$<InstanceName>

Full text search: NT SERVICE\MSSQLFDLauncher$<InstanceName>

SSRS: NT SERVICE\ReportServer$<InstanceName>

--Otherwise, the SQL Server service accounts are configured as follows:

SQL Server engine: NT Authority\Network Service

SQL Server Agent: NT Authority\Network Service

Full text search: NT Authority\Local Service

SSRS: NT Authority\Local Service

report admin

to run the Report Configuration Wizard and deploy reports to an existing SQL Server instance

Connect SQL (cannot be revoked after setup)

Create Database, Create any database, or Alter any database

member of securityadmin role, or Alter any login permission

report admin

to modify the Reports Control Panel

SnapshotAdmin (predefined role)

Report viewer

to view reports from SSRS/Internet Explorer

Login permission

SnapshotViewer (predefined role)

Report writer

read, write, edit access for reports, in addition to the permissions needed to view reports

Login permission

SnapshotViewer (predefined role)

Note:   Microsoft SQL Server Reporting System (SSRS) affords only role-based security in their reports. Be sure to grant appropriate access to reports. For example, if a user has access to only some data in the specified domain but all reports, they will be able to view all reports on all data from Active Directory.