SQL Server permissions that are set by the Configuration Wizard
Here are the SQL server permissions that report services grants to each user type, for your information. The Report Services Configuration wizard sets these permissions automatically.
User type |
Required SQL Server permissions |
report services account to run the SQL Server Reporting Service |
Snapshot Service (predefined role) |
SQL Server service account to run SQL Server |
If you deploy to an existing SQL Server instance, the configuration wizard makes no changes to the SQL Server service account. If you deploy to a new SQL Server instance: --If the operating system is Windows 2008 and you’re using a SQL Server version later than 2012, virtual accounts are used for various SQL Server components, as follows: SQL Server engine: NT SERVICE\MSSQL$<InstanceName> SQL Server Agent: NT SERVICE\SQLAgent$<InstanceName> Full text search: NT SERVICE\MSSQLFDLauncher$<InstanceName> SSRS: NT SERVICE\ReportServer$<InstanceName> --Otherwise, the SQL Server service accounts are configured as follows: SQL Server engine: NT Authority\Network Service SQL Server Agent: NT Authority\Network Service Full text search: NT Authority\Local Service SSRS: NT Authority\Local Service |
report admin to run the Report Configuration Wizard and deploy reports to an existing SQL Server instance |
Connect SQL (cannot be revoked after setup) Create Database, Create any database, or Alter any database member of securityadmin role, or Alter any login permission |
report admin to modify the Reports Control Panel |
SnapshotAdmin (predefined role) |
Report viewer to view reports from SSRS/Internet Explorer |
Login permission SnapshotViewer (predefined role) |
Report writer read, write, edit access for reports, in addition to the permissions needed to view reports |
Login permission SnapshotViewer (predefined role) |
Note: Microsoft SQL Server Reporting System (SSRS) affords only role-based security in their reports. Be sure to grant appropriate access to reports. For example, if a user has access to only some data in the specified domain but all reports, they will be able to view all reports on all data from Active Directory.