cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
pvuppala
Helper II
Helper II

Security Automation tasks using Reporting Services PowerShell

Hello,

I am trying to automate some security tasks for ReportServer using Reporting Services Tools as mentioned in this link.

https://github.com/microsoft/ReportingServicesTools

 

Its great to be able to bulk add users to Home folder and create any folder/subfolders via PS script (New-RsFolder) but I'm wondering if there's a way to disable parent inheritance.  We have so many user/groups that we dont want for all folders so we end up Deleting all users except Admin roles on any new folder manually.

Is there anyway we can disable the parent inheritance via PS script?  Or is there any option to bulk Revoke (Revoke-RsCatalogItemAccess) all roles for a new folder and keep the Admin users, Right now we go to security tab manually and check all and uncheck admin roles to delete.  Its too slow to delete each role via script, (we have over 500 +or so foreach loop isn't really the best way to remove)

 

Please help!!

 

Thank you!

-Pawan

2 ACCEPTED SOLUTIONS
d_gosbell
Super User
Super User

If you look at the source code for Revoke-RsCatalogItemAccess here https://github.com/microsoft/ReportingServicesTools/blob/master/ReportingServicesTools/Functions/Sec...

 

It is actually getting the full list of access roles using $proxy.GetPolicies, then removing the specified identity, then pushing the new access list back using $proxy.SetPolicies

 

So you could use this same pattern to just can $proxy.SetPolicies once and pass in your admin user(s)

 

I'd make sure to test this well on a non-production folder first to make sure you get this working properly.

View solution in original post

pvuppala
Helper II
Helper II

This is what I ended up doing, seems fairly simple to take policy from a dummy folder that I need the way security on any new folder that we create.

$proxy = New-WebServiceProxy -Uri $ReportServerAsmx -UseDefaultCredential ;

$Policies = $Proxy.GetPolicies($ItemPath, [ref]$InheritParent)

$Proxy.SetPolicies($ItemPathToSet, $Policies)

 

Thank you so much!

View solution in original post

6 REPLIES 6
pvuppala
Helper II
Helper II

So there isn't any other way to Bulk load Security Groups into the Home or root folder?  I was hoping for some stored procedures to handle all this user management.  Thanks in advance!

pvuppala
Helper II
Helper II

Somehow my scripts are running extremely slow or timing out.  I'm curious if there are any Stored Procedures to Bulk Add Users/Groups into Security at the root or Home level?  Anyone went down that path?  We add about 20-50 AD user groups every week so need to find an efficient way to do this redudant task.

 

Thanks in advance!


@pvuppala wrote:

We add about 20-50 AD user groups every week so need to find an efficient way to do this redudant task.


Why don't you do this all in AD? We create one or two AD group for each of our folders (usually one for Browser rights and another for Publish rights), then we add  other users/groups to those AD groups.

 

It means our IT help desk can process requests for access and it keeps the security in Report Server simple and fast.

Thats exactly what we're doing but we are creating several folders which have different AD groups associated for each folder and sometimes subfolder. We manage about 300 report server folders and handle all new requests.  I can't help but wonder in the end all the data gets stored in ReportServer tables (Users, Security, Policies etc.,)  there's gotta be another way to INSERT all these into tables.

pvuppala
Helper II
Helper II

This is what I ended up doing, seems fairly simple to take policy from a dummy folder that I need the way security on any new folder that we create.

$proxy = New-WebServiceProxy -Uri $ReportServerAsmx -UseDefaultCredential ;

$Policies = $Proxy.GetPolicies($ItemPath, [ref]$InheritParent)

$Proxy.SetPolicies($ItemPathToSet, $Policies)

 

Thank you so much!

d_gosbell
Super User
Super User

If you look at the source code for Revoke-RsCatalogItemAccess here https://github.com/microsoft/ReportingServicesTools/blob/master/ReportingServicesTools/Functions/Sec...

 

It is actually getting the full list of access roles using $proxy.GetPolicies, then removing the specified identity, then pushing the new access list back using $proxy.SetPolicies

 

So you could use this same pattern to just can $proxy.SetPolicies once and pass in your admin user(s)

 

I'd make sure to test this well on a non-production folder first to make sure you get this working properly.

Helpful resources

Announcements
September Update

Check it Out!

Click here to learn more about the September 2022 updates!

Power BI Dev Camp Session 26

Check it Out!

Mark your calendars and join us on Thursday, September 29 at 11a PDT for a great session with Ted Pattison!