Create a custom role in SSMS (item-level example)
- Connect to Reporting Services
Open SSMS → Connect → Reporting Services → enter your Web Service URL (e.g.,http://<server>/reportserver
). - Add a new role
In Object Explorer: Security → Roles → New Role. Give it a name and description. Pick the item-level tasks you need. Save. - Assign the role
Go to the web portal (/reports
) → Site settings / folder Manage → Security → Add group or user → choose your custom role. Repeat where needed (inheritance applies to child folders unless you break it).
Case study 1: “Viewer & Export (no publish)”
Goal: Allow users to open reports and export to PDF/Excel/CSV from the toolbar, but block publishing/overwriting content.
Why this role is useful: It’s perfect for wide readership audiences who should consume and export, but never alter or deploy reports.
How to build it (tasks to tick):
- ✅ View Folders
- ✅ View Reports (enables interactive view + export)
- ✅ View Resources (optional, if you store files like images/help)
- ✅ Manage Individual Subscriptions (optional: let users manage their own subscriptions only)
- ❌ Manage Reports (keeps users from uploading, replacing, deleting, setting properties like data sources/report history)
- ❌ Manage Folders / Manage Data Sources / Manage Shared Datasets / Manage Permissions
Important limitation: Downloading a source file (e.g., .RDL
and, where applicable, .PBIX
) is governed by manage-level capabilities. There is no separate task that says “download source but not publish”. In other words, you can allow exported renderings (PDF/Excel/etc.) with View reports, but you cannot allow downloading the source while blocking publish/replace. Tasks are predefined and can’t be split further.
Case study 2: “Data Source Curator”
Goal: Allow a central data-ops team to manage shared data sources without touching report content.
Tasks to tick:
- ✅ View Folders, View Reports, View Resources (for context)
- ✅ Manage Data Sources (create/update connection strings/credentials)
- ❌ Manage Reports / Manage Folders / Manage Shared Datasets / Manage Permissions
Testing & troubleshooting checklist
- Role scope: Did you create an item-level or system-level role (not mixed)?
- Assignment level: Is the role assigned at the right folder (and inherited), or did you break inheritance somewhere?
- Least privilege: Start with minimal tasks (e.g., View Reports), add more only if a real need appears. Tasks can’t be customised, so keep roles simple.
Official Microsoft docs (recommended reading)
- Create, delete, or modify a role (SSMS):
https://learn.microsoft.com/sql/reporting-services/security/role-definitions-create-delete-or-modify - Predefined roles (and note about using SSMS for custom roles):
https://learn.microsoft.com/sql/reporting-services/security/role-definitions-predefined-roles - Tasks and permissions (overview):
https://learn.microsoft.com/sql/reporting-services/security/tasks-and-permissions - Item-level tasks (applies to PBIRS):
https://learn.microsoft.com/sql/reporting-services/security/tasks-and-permissions-item-level-tasks - System-level tasks:
https://learn.microsoft.com/sql/reporting-services/security/tasks-and-permissions-system-level-tasks - Grant users access / role assignments in the web portal:
https://learn.microsoft.com/sql/reporting-services/security/grant-user-access-to-a-report-server
Wrap-up
Custom roles in Power BI Report Server are straightforward once you remember two things: create them in SSMS, and compose them from built-in tasks. With patterns like Viewer & Export (no publish) and Data Source Curator, you can tighten governance without slowing the business down.