9.1 Understanding Reporting Center Security

Configuring security in Reporting Center means restricting or allowing users access to objects on the Navigation Tree, including folders, reports, dashboards, templates, and data source connections. You configure security settings in the Manage Security window, which you can access from the Global Tasks ribbon, the main home page, or the Tasks pane.

When you configure security, you can define the following:

Users: Individual user accounts. Administrators create an account for every user and determine user access to the Reporting Console. Reporting Center allows administrators to import user accounts from Windows Active Directory.
User Groups: Collections of user accounts. Every user must be a member of at least one group, and groups can be members of other groups. Reporting Center allows administrators to create new Reporting Center groups or import Windows Active Directory groups.
Permission Sets: Definitions specifying the level of access for groups to data source connections, folders, reports, and dashboards.

Configuring security includes the following types of tasks:

Enabling and disabling users, granting Reporting Center administrative permissions to individual users, and adding Windows users to Reporting Center.
Creating groups of Reporting Center users, granting administrative permissions to specific groups, and adding Windows users to Reporting Center groups.
Creating and enabling permission sets that grant or deny access to specific objects or tasks in Reporting Center.

9.1.1 Understanding Users and User Groups

You configure your security model by defining users, adding users to user groups, and assigning a group and a permission set to each object in the Navigation pane. You can create users, user groups, and permission sets in any order.

The primary purpose of creating a user in Reporting Center is to assign it to a group. Administrators can grant users administrative privileges, but they cannot associate permission sets with users by themselves. After installation, only the installing account has access to Reporting Center as a member of the predefined Administrators group.

Reporting Center provides the following predefined user groups that you cannot delete.

Reporting Center Administrators: Grants full, administrative permissions in Reporting Center. By default, Reporting Center adds the installing account to this group.In Reporting Center, to have administrative permissions, a user account must be a member of Reporting Center Administrators or a member of a group that is a member of it. Having administrative privileges outside of Reporting Center is not sufficient.
Reporting Center Users: Allows administrators to grant limited, non-administrative permissions in Reporting Center. By default, this group contains no members and has no permissions defined.

When you design your security model, take advantage of the flexibility that Reporting Center provides by importing groups and by adding groups as members of other groups. For example, you can import a complete Windows Active Directory group and grant the group access to a specific report. You can also configure that imported Active Directory group to be a member of another group, and at the top level grant the group access to relevant reports.

9.1.2 Understanding Permission Sets

Defining permission sets allows you to enforce more granular security for each object in Reporting Center. You can allow or restrict access to every task users can do. For example, one group can have permission to create and delete reports, and another group can have permission to only view reports. You decide what users can do depending on what users need to effectively do their jobs, and how you want to configure your environment.

When you configure permission sets, choose from the following three states.

	Granted: Users have access to the object with this permission or are allowed to do the specified task (such as modifying reports or creating folders).
	Denied: Users cannot access the object with this permission or are not allowed to do the specified task. When a user logs in, Reporting Center does not display the restricted objects.
	Not Granted: The specified task does not have any defined permissions. Users can view these objects (as long as the View a Node permission is granted), but cannot perform the tasks.

Reporting Center provides a number of predefined permission sets that you can either customize to create new permission sets, or use as provided. These permission sets allow various levels of access to data source connections, folders, reports, and dashboards in the Navigation Tree. The following table lists the predefined permission sets, along with the access they allow or restrict. If you customize one of these permission sets, you can allow or restrict access to each individual task, such as creating folders, exporting reports, and so on.

If you modify the predefined permission sets, NetIQ Corporation recommends that you do not change their names. If you upgrade Reporting Center in the future, Reporting Center reinstalls them with the original names.

NOTE:To ensure that a node is visible, you must include the View a Node permission in the permission set. Otherwise, it is possible for a group to have permissions to manipulate a node that is not displayed. Permission to run a report is included in the View a Node permission.

Category	Permission
Administration	Assign security rules to a Node
Folder	Create a Folder Delete a Folder Move a Folder Rename a Folder
Node	View a Node
Report	Create a Report Delete a Report Deploy a Report Export a Report Move a Report Print a Report Rename a Report Save a copy of Report Save a Report