none
Report Builder (rsaccessdenied) error message

    Question

  • Hi,

     

    I have created a Report Model and published it on our QA environment Report Server(Where I dont have admin access). When I try to launch the Report Builder tool and create a sample report and Run the report it gives me this error. "The permissions granted to user 'Domainname/user group' are insufficient for performing this operation. (rsAccessDenied)" I checked with the Admins on this server the usergroup has a "Browser" Role. I had read on some online fourm that if user group has browser role it should work. But I cant get it work any help is appreciated.

     

    I have published the same Report Model in Deveploment environment report server(where I have admin access) and when I do the same thing I am able to run the reports.

     

    Some one please help me its causing delay in our testing.

     

    Thanks

    Ashwini

    Thursday, August 09, 2007 3:00 PM

Answers

  • Report Builder - rsAccessDenied - "domain/user does not have sufficient permission etc"

    I have spent days researching this and, thanks to this forum, I have come up with the fix, so here it is - step by step. You need to be "Report Server" website administrator though.

    ===========================================================
    What happens?..
    When a user opens Report Builder and drops fields into the table, they then press Run report.
    However, they may get the error "rsAccessDenied" - even though they obviously have permission to open Report Builder and see the fields to drop into the table on their new report.

    The reason this message appears for a user is that they have not been given the "Execute Report Definitions" permission and this is not where you would think it would be. In fact, you can't give a user this permission just like that. This is what you need to do:-

    1. Open Report Server web page on the SQL Server as administrator (eg., http://servername/Reports/Pages/Folder.aspx)

    2. Choose "Site Settings" from the top right hand corner of the page that appears (only admins will see this)

    3. Click "Configure system-level role definitions" in the bottom left hand side, where it sits underlined with two other options

    4. Create a new role called "Report Builder Execution" (or any name you want that helps you remember why you did it)

    5. You will now see some options/permissions that you can assign to this new role. Choose the top option - "Execute Report Definitions". I have no idea why you can assign this to a role, but you can't assign it to a permission set or a user.

    6. Click OK and go back to site settings page. You now have a new role simply to apply that permission

    7. Next, click one of those three underlined options in the bottom left hand corner called "Configure Site-Wide Security" and we're going to give selected WinAD domain users or groups this particular role. After all, if they are given permission to run report Builder and see Report Models, it is essential they also have this role so that they can execute the reports.
    The page that opens up is headed "System Role Assignments" (yes, I know, it's not the same as the link you clicked - I'm sure there must be a very sensible reason for this)

    8. Click "New Role Assignment" because you're now going to give a series of Windows AD users, or groups, the "Execute Report Definitions" permission that's in the new role you created.

    9. In the "Group or Username" box, add the group or user that needs to have this role - I have chosen "domain\domain users" because if people have Report Builder, they obviously need this role to be able to run their reports, so everyone's got it.

    10. Choose "Report Builder Execution" (or the name of the new role you created) in the list that is now showing.

    11. Click OK and close everything.

    What you have done is create a special role that contains that "Execute Report Definitions" permission because there's nowhere else that the permission appears so that you can give it to people. You can however give this role to people, and you can pop that permission into this role. So, job jobbed!

    Hope that helps somebody out there....

    I also hope that someone at Microsoft reads this and perhaps explains a better way of doing it or even why it's like this. We're on SQL2005 64 bit

    Thursday, September 10, 2009 4:02 PM
  • Yes, this is correct: the user must have the Execute Report Definitions system permission, and the steps you outlined are exactly how we would expect you to grant this permission.
    I think the point of confusion here may be that this is a server-wide permission which is why it is configured in the Site Settings, system-level role definitions area.  Typical report/data source permissions are configured on a per-item basis in the catalog but this particular permission is not tied to the catalog.  The reason for this is that granting this permission allows the user to execute arbitrary (user-submitted) report definitions on the report server, including ones which define their own embedded data sources, and as such don't reference anything in the report server catalog at all.  We often refer to this as the permission to execute ad-hoc reports on the server.
    Anyway, thanks for the explanation for other users and hopefully this helps clarify a bit.
    Thursday, September 17, 2009 6:20 PM
    Moderator

All replies

  • I think you need the report builder role. Not just browser, that is not enough permission.

     

    http://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=573815&SiteID=1

     

    Thursday, August 09, 2007 3:06 PM
    Moderator
  • Thank you!! I will let the Admin know about this and ask them include the Report Builder Role and will try again and see if it works.

    Thursday, August 09, 2007 3:55 PM
  • Ok we tried giving the role Report Builder to the user and Report Builder Role has these tasks assosicated - Consume Reports,Manage Individual Subscriptions,View Folders,View Models,View reports,View resources. Even after giving this role it did not work. So we even selected all the tasks under Report Builder Role just for testing this did not work either.

     

    Here is the exact scenario: when I get the error message it says this user's "IHS-T-CRRSWQ-01\IUSR_WFS-4376A9A5D75" permission granted is insufficient this user is the one which is running on IIS. But this is one of the user under user group "NT AUTHORITY\Authenticated Users" which has Report Builder Role. I am really getting into circels here any help appreciated.

     

    Thanks!!

    Thursday, August 09, 2007 6:56 PM
  •  

    Please post the exact error message.

    Jens K. Suessmeyer

    ---
    http://www.sqlserver2005.de
    ---

    Friday, August 10, 2007 3:33 PM
    Moderator
  • Error Message:

     

    "The permissions granted to user ' Username' are insufficient for performing this operation. (rsAccessDenied)"

     

    Thanks

    Ashwini

    Friday, August 10, 2007 3:48 PM
  • Please, if someone has a solution, i've the same problem.

     

    Friday, September 14, 2007 10:35 AM
  • I know this is an old post, but I'm feeling desperate - we have been struggling with this same issue for days now...users experiencing this issue are database owners on the reporting server and on the sql server where the model exists.  All rights that can be assigned through the Reporting Services web-interface-based security management have been assigned - in theory there should be *nothing* that these user's are restricted from....but we are seeing the same error message after they have opened the report builder, when they try to run the report they've built.

     

    Any information would be appreciated!

    Wednesday, October 01, 2008 7:55 PM
  • Hi Rose,

     

    When I had this issue I spent whole lot of time but could not get anywhere but later found out that there was some patch or some kind of update missing on the QA server which was giving me this problem (Sorry I dont remember the exact detail about the patch since this was a year back). It was nothing to do with the role and permissions. Ask your DBA to check on the server.

     

    I hope this helps.

     

    Ashwini

     

    Thursday, October 02, 2008 9:12 PM
  • If you're still seeing this problem I would recommend looking at the reportserver log files (in LogFiles directory where reporting services is installed) to see if they provide any additional information.

     

    Thursday, October 02, 2008 11:42 PM
    Moderator
  • Report Builder - rsAccessDenied - "domain/user does not have sufficient permission etc"

    I have spent days researching this and, thanks to this forum, I have come up with the fix, so here it is - step by step. You need to be "Report Server" website administrator though.

    ===========================================================
    What happens?..
    When a user opens Report Builder and drops fields into the table, they then press Run report.
    However, they may get the error "rsAccessDenied" - even though they obviously have permission to open Report Builder and see the fields to drop into the table on their new report.

    The reason this message appears for a user is that they have not been given the "Execute Report Definitions" permission and this is not where you would think it would be. In fact, you can't give a user this permission just like that. This is what you need to do:-

    1. Open Report Server web page on the SQL Server as administrator (eg., http://servername/Reports/Pages/Folder.aspx)

    2. Choose "Site Settings" from the top right hand corner of the page that appears (only admins will see this)

    3. Click "Configure system-level role definitions" in the bottom left hand side, where it sits underlined with two other options

    4. Create a new role called "Report Builder Execution" (or any name you want that helps you remember why you did it)

    5. You will now see some options/permissions that you can assign to this new role. Choose the top option - "Execute Report Definitions". I have no idea why you can assign this to a role, but you can't assign it to a permission set or a user.

    6. Click OK and go back to site settings page. You now have a new role simply to apply that permission

    7. Next, click one of those three underlined options in the bottom left hand corner called "Configure Site-Wide Security" and we're going to give selected WinAD domain users or groups this particular role. After all, if they are given permission to run report Builder and see Report Models, it is essential they also have this role so that they can execute the reports.
    The page that opens up is headed "System Role Assignments" (yes, I know, it's not the same as the link you clicked - I'm sure there must be a very sensible reason for this)

    8. Click "New Role Assignment" because you're now going to give a series of Windows AD users, or groups, the "Execute Report Definitions" permission that's in the new role you created.

    9. In the "Group or Username" box, add the group or user that needs to have this role - I have chosen "domain\domain users" because if people have Report Builder, they obviously need this role to be able to run their reports, so everyone's got it.

    10. Choose "Report Builder Execution" (or the name of the new role you created) in the list that is now showing.

    11. Click OK and close everything.

    What you have done is create a special role that contains that "Execute Report Definitions" permission because there's nowhere else that the permission appears so that you can give it to people. You can however give this role to people, and you can pop that permission into this role. So, job jobbed!

    Hope that helps somebody out there....

    I also hope that someone at Microsoft reads this and perhaps explains a better way of doing it or even why it's like this. We're on SQL2005 64 bit

    Thursday, September 10, 2009 4:02 PM
  • Yes, this is correct: the user must have the Execute Report Definitions system permission, and the steps you outlined are exactly how we would expect you to grant this permission.
    I think the point of confusion here may be that this is a server-wide permission which is why it is configured in the Site Settings, system-level role definitions area.  Typical report/data source permissions are configured on a per-item basis in the catalog but this particular permission is not tied to the catalog.  The reason for this is that granting this permission allows the user to execute arbitrary (user-submitted) report definitions on the report server, including ones which define their own embedded data sources, and as such don't reference anything in the report server catalog at all.  We often refer to this as the permission to execute ad-hoc reports on the server.
    Anyway, thanks for the explanation for other users and hopefully this helps clarify a bit.
    Thursday, September 17, 2009 6:20 PM
    Moderator
  • You just save my day.

    Thx.


    Sami Marzouki
    Wednesday, September 22, 2010 7:45 AM