Avatar of RhoSysAdmin
Flag for United States of America asked on

SCCM 2012 RBA question : Read-only Analyst cannot run reports from Config Mgr Admin console?

We're testing role based administration with our SCCM 2012 R2 SP1 server. We setup a test user with the Read-Only Analyst security role, all system collection, and the default security scope.

The test user can run reports just fine from the browser.

In the Config Mgr Admin Console, the test user can see the same reports, view properties of the reports, but can NOT run them. Nothing happens when you click Run.

Is this a feature or are we missing something?


Avatar of undefined
Last Comment
Mike T

8/22/2022 - Mon
Mike T


Read-only analyst is just that: read only. You cannot run reports, edit anything, delete anything etc.
Also dont' do "all system collection, and the default security scope." as it makes the whole exercise pointless. I know it's a little fiddly but remember you only have to do this work ONCE. If you let people on the product and allow "all systems" they only have to do the wrong thing and send it to "All Systems" ONCE to ruin your whole week, maybe longer.

You need to remove both, and chose specific collections for specific people/roles. e.g. desktop people can only see desktop collections.

With regards reporting, strangely out of the box there is no "reporting role" which means you have to create one, using a custom role.
Create a custom scope for only the collections you need, create the custom role and then test.

It works via the web page because the web-page offers different security permissioning. It concentrates more on what reports you can see, per user if I recall.


I started with a custom security scope, a custom security role that has several "run reports" permissions, and a specific collection. It works fine from the browser, but never from the Admin Console. I started broadening the permissions to see what might be missing. I finally made them as broad as possible, but it was no use.

I can run the reports from the console if I'm the SCCM Administrator, so I know there's some magic combo of permissions that works.

By the way, I had to assign my custom security scope to the site for the reports to run from the browser for the test user. If that "shouldn't" be necessary, let me know. I'll work back through the security scope permissions again. It seems fine at the moment. My test user can see some site settings, but can't change anything. There are plenty of other areas where the test user sees nothing from the Admin Console.
Mike T

OK - I will try and set up my own reporting user. I have a requirement for it shortly anyway, so I will see what works and post it here.

Your help has saved me hundreds of hours of internet surfing.

Hey Mike T,

Did you have any success with your report user setup and running the reports from within the Config Mgr Admin Console as the report user?
Mike T

Hi - not yet. I have set some others as a test first but I know MS decided that reporting was different so it is deliberately missing as a role and you need to be slightly more creative. I will be doing it shortly.
Mike T

View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
Mike T

Custom Roles are the way to do this as described.
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.