Skip to main content
cancel
Showing results for 
Search instead for 
Did you mean: 

Earn the coveted Fabric Analytics Engineer certification. 100% off your exam for a limited time only!

Reply
pvuppala
Advocate II
Advocate II

Security Automation tasks using Reporting Services PowerShell

Hello,

I am trying to automate some security tasks for ReportServer using Reporting Services Tools as mentioned in this link.

https://github.com/microsoft/ReportingServicesTools

 

Its great to be able to bulk add users to Home folder and create any folder/subfolders via PS script (New-RsFolder) but I'm wondering if there's a way to disable parent inheritance.  We have so many user/groups that we dont want for all folders so we end up Deleting all users except Admin roles on any new folder manually.

Is there anyway we can disable the parent inheritance via PS script?  Or is there any option to bulk Revoke (Revoke-RsCatalogItemAccess) all roles for a new folder and keep the Admin users, Right now we go to security tab manually and check all and uncheck admin roles to delete.  Its too slow to delete each role via script, (we have over 500 +or so foreach loop isn't really the best way to remove)

 

Please help!!

 

Thank you!

-Pawan

2 ACCEPTED SOLUTIONS
d_gosbell
Super User
Super User

If you look at the source code for Revoke-RsCatalogItemAccess here https://github.com/microsoft/ReportingServicesTools/blob/master/ReportingServicesTools/Functions/Sec...

 

It is actually getting the full list of access roles using $proxy.GetPolicies, then removing the specified identity, then pushing the new access list back using $proxy.SetPolicies

 

So you could use this same pattern to just can $proxy.SetPolicies once and pass in your admin user(s)

 

I'd make sure to test this well on a non-production folder first to make sure you get this working properly.

View solution in original post

pvuppala
Advocate II
Advocate II

This is what I ended up doing, seems fairly simple to take policy from a dummy folder that I need the way security on any new folder that we create.

$proxy = New-WebServiceProxy -Uri $ReportServerAsmx -UseDefaultCredential ;

$Policies = $Proxy.GetPolicies($ItemPath, [ref]$InheritParent)

$Proxy.SetPolicies($ItemPathToSet, $Policies)

 

Thank you so much!

View solution in original post

6 REPLIES 6
pvuppala
Advocate II
Advocate II

So there isn't any other way to Bulk load Security Groups into the Home or root folder?  I was hoping for some stored procedures to handle all this user management.  Thanks in advance!

pvuppala
Advocate II
Advocate II

Somehow my scripts are running extremely slow or timing out.  I'm curious if there are any Stored Procedures to Bulk Add Users/Groups into Security at the root or Home level?  Anyone went down that path?  We add about 20-50 AD user groups every week so need to find an efficient way to do this redudant task.

 

Thanks in advance!


@pvuppala wrote:

We add about 20-50 AD user groups every week so need to find an efficient way to do this redudant task.


Why don't you do this all in AD? We create one or two AD group for each of our folders (usually one for Browser rights and another for Publish rights), then we add  other users/groups to those AD groups.

 

It means our IT help desk can process requests for access and it keeps the security in Report Server simple and fast.

Thats exactly what we're doing but we are creating several folders which have different AD groups associated for each folder and sometimes subfolder. We manage about 300 report server folders and handle all new requests.  I can't help but wonder in the end all the data gets stored in ReportServer tables (Users, Security, Policies etc.,)  there's gotta be another way to INSERT all these into tables.

pvuppala
Advocate II
Advocate II

This is what I ended up doing, seems fairly simple to take policy from a dummy folder that I need the way security on any new folder that we create.

$proxy = New-WebServiceProxy -Uri $ReportServerAsmx -UseDefaultCredential ;

$Policies = $Proxy.GetPolicies($ItemPath, [ref]$InheritParent)

$Proxy.SetPolicies($ItemPathToSet, $Policies)

 

Thank you so much!

d_gosbell
Super User
Super User

If you look at the source code for Revoke-RsCatalogItemAccess here https://github.com/microsoft/ReportingServicesTools/blob/master/ReportingServicesTools/Functions/Sec...

 

It is actually getting the full list of access roles using $proxy.GetPolicies, then removing the specified identity, then pushing the new access list back using $proxy.SetPolicies

 

So you could use this same pattern to just can $proxy.SetPolicies once and pass in your admin user(s)

 

I'd make sure to test this well on a non-production folder first to make sure you get this working properly.

Helpful resources

Announcements
April AMA free

Microsoft Fabric AMA Livestream

Join us Tuesday, April 09, 9:00 – 10:00 AM PST for a live, expert-led Q&A session on all things Microsoft Fabric!

March Fabric Community Update

Fabric Community Update - March 2024

Find out what's new and trending in the Fabric Community.