We're testing role based administration with our SCCM 2012 R2 SP1 server. We setup a test user with the Read-Only Analyst security role, all system collection, and the default security scope.
The test user can run reports just fine from the browser.
In the Config Mgr Admin Console, the test user can see the same reports, view properties of the reports, but can NOT run them. Nothing happens when you click Run.
Is this a feature or are we missing something?
Read-only analyst is just that: read only. You cannot run reports, edit anything, delete anything etc.
Also dont' do "all system collection, and the default security scope." as it makes the whole exercise pointless. I know it's a little fiddly but remember you only have to do this work ONCE. If you let people on the product and allow "all systems" they only have to do the wrong thing and send it to "All Systems" ONCE to ruin your whole week, maybe longer.
You need to remove both, and chose specific collections for specific people/roles. e.g. desktop people can only see desktop collections.
With regards reporting, strangely out of the box there is no "reporting role" which means you have to create one, using a custom role.
Create a custom scope for only the collections you need, create the custom role and then test.
It works via the web page because the web-page offers different security permissioning. It concentrates more on what reports you can see, per user if I recall.