Monday, September 10, 2007

"The permissions granted to user 'Domain\UserId' are insufficient for performing this operation. (rsAccessDenied)" in TFS

We've been up and running with TFS now for a few months. We started by using Source Control, then moved onto Team Build and Work Item tracking. We're now trying to implement Reports. Here was our latest issue.

We started off by adding everyone using the TFS Administration Tool v 1.2 as "Contributors" in TFS, "Contributor,Web Designer" in SharePoint, and "Publisher" in Reporting Services. From what we can tell, this action will add each user to the Publisher role in Reporting Services under the "Folder" which is created when the Team Project is created. E.g. Team Project Name = Test123, a Reporting Services "Folder" called Test123 is created.

Unfortunately after doing this, the user base continued to get the error "The permissions granted to user 'Domain\UserId' are insufficient for performing this operation. (rsAccessDenied)". We scratched our heads as when checking "Folder" permissions, the user shows up and has "Publisher" access.

This went on for days (actually months to be honest). After an extra long lunch, I came back to my desk and asked the question "What permissions does the Publisher really have?" You may argue that I should have asked this question long before, but in SQL Lesson 2 they say "Assign the Publisher role to users who will perform all of the tasks provided in the previous roles, with additional permissions for publishing reports and models from Business Intelligence Development Studio." The Browser role is right above this statement.

As it turns out the Publisher had the ability to "author reports or models in Report Designer or Model Designer and then publish those items to a report server", but could not View a report. I'd argue if you can publish a new report to the server, you should be able to View it like Browser right? Wrong.

Maybe we missed something in the TFS setup, but as far as I can tell the "Publisher" role did not have View Folders, View Model, View Reports, View Resources. So when the TFS Administrator Tool setup a Contributor with "Publisher" permissions as the default, we took it - and the documentation - as gospel and thus frustrated end users and administrators alike.

We ended up fixing the problem by appending all of Browser's permissions "View Folders, View Model, View Reports, View Resources" to Publisher and so far the problem is solved.

Outside of the "Lesson 2: Setting Item-level Permissions on a Report Server" documentation being incorrect - or at least ambiguous, I'm not sure if there is anyone to blame here. We should have checked the permissions of Publisher instead of assuming Microsoft's documentation was correct.

All in all, I think the root cause is TFS is laborious to administer and thus causes tons of headaches when trying to implement it. From what I hear, they are working on the administration of TFS v2.0, but until then make sure if you add a user to the Publisher group in Reporting Services, either make sure Publisher has all the permissions Browser has, or add all users to both groups. If you've already got 150+ users setup in TFS, I'd recommend the former so you don't have to edit each user.

2 comments:

Tahir said...

Hi,

I have a my user name 'domain\user' which has administrator rights to local windows vista. I have assigned all roles to this login. But still i cant Open the URLs.

http://localhost/reportServer
and
http://localhost/reports

I get same message of not having sufficent priviledges and in second i get only header of page. No folders.

As i said, i have alredy assigned all roles to my user name using Management studio.

Any idea?

Thanks,
Tahir

Trevor said...

hi there,

this is what my current host (asphostcentral.com) do to install the Reporting Service 2008 for me.

1. They asked me to provide a Report Server and Report Manager URL, e.g. www.myDomain.com/RS for Report Server and www.myDomain.com/RM for report Manager
2. They begin to install the SSRS 2008 by specifying the above URL on the Web Service URL and Report Maanger URL
3. They did create the Report Server Manager database for me
4. Under the Service Account, they use my FTP details as the login details
5. Once this is done, they created a user called "my_FTP_Username" on the Report Manager interface and assign the role: BROWSER and PUBLISHER for me.

They then came back to me and informed that everything is up and running. I tested it out and yes, it was working perfectly. The MOST common issues that I can see is that usually you guys FAILS to assign the correct role to the FTP User. If you have an FTP User called: "abc" then, the BROWSER and PUBLISHER must be assigned to "abc" user.

With just $4.99/month, I strongly believe that asphostcentral.com is worth a try. They did charge some fees for SSRS 2008, but it certainly recommended as there is no headache whatsover :)

I am a happy camper with them :)