Granting Permissions to Create Power Management Report Subscriptions in SCCM

With the role based administration controls (RBAC) in SCCM 2012 and above, a common way to grant access to reporting is using the built-in security role Read-Only Analyst.  This role grants access to view Configuration Manager objects, but also to run reports.  However, it does not grant permission to create subscriptions to these reports.  Subscription permissions are tied to other built-in roles.  For example, adding the Operating System Deployment Manager security role to a user would add the ability to create subscriptions to reports about OSD.  The only built-in role that grants permission to schedule Power Management reports, though is the Operations Administrator role.  Using custom permissions, we can grant the ability to create a subscription for all reports including Power Management.  These custom permissions will still honor any Security Scopes and Collections that are assigned to the Administrative User.

Existing Permissions

An easy way to verify the existing permissions for a report, or report category, is to use the SQL Reporting Services webpage.  From the SCCM Admin console’s Monitoring tab, simply select Reporting, then click the link to Report Manager.  Find the category, or report you’d like to check permissions for and select Security.


In my example, you can see that the only role assigned to my MMcFly0001 user is ConfigMgr Report Users, which does not include the ability to create a subscription.  The roles that allow us to do that are ConfigMgr Report Administrators, or Browser.


Grant Access to Create Report Subscriptions

Built-in roles cannot be edited so start by creating a custom Security Role.  Navigate to Administration\Overview\Security\Security Roles, right click an existing view and select Copy.

Blog3.PNGOpen the properties of your newly created role and update the name.  I like to preface my custom roles with something that identifies it as custom such as the company name or initials (Ex. DU-ReportSubscriber).

On the Permissions tab, remove all existing permissions.  The permission you want is for the entire site, so expand Site and change Modify Report to Yes.Blog4

Finally, add the users you’d like to have this permission to the Administrative Users tab and click OK.

By default, security configuration runs every 10 minutes.  You can check the next run interval, along with the status using the Program Files/Microsoft Configuration Manager/Logs/srsrp.log on the Primary Site server.  Once this has run, you can verify that the permissions now your defined Administrative User having the ConfigMgr Report Administrators role.



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s