I upgraded SQL 2008 to R2 including RS and noticed that each item has a context menu now. Very useful for admins, but why does a default Browser user can see this context menu? Finally the user is not permitted to execute any action (delete, move a report or edit its security settings). So, how can I show the context menus to all Admins and hide/disable it for all other users?

If you use the http://localhost/reports url, then you will not see any and you can use this for your normal users You can use the http://localhost/reportserver url for the adminsCheers, Jason P.S. : Please click the 'Mark as Answer' button if a post solves your problem! :)

Hi, Please see below. Granting Permissions on a Report Server SQL Server Reporting Services uses role-based authorization and an authentication subsystem to determine who can perform operations and access items on a report server. Role-based authorization categorizes into roles the set of actions that a user or group can perform. Authentication is based on built-in Windows Authentication or a custom authentication module that you provide. You can use predefined or custom roles with either authentication type. Using Roles to Grant Report Server Access All users interact with a report server within the context of a role that defines a specific level of access. Reporting Services includes predefined roles that you can assign to users and groups to provide immediate access to a report server. Content Manager, Publisher, and Browser are examples of predefined roles. Each role defines a collection of related tasks. For example, a Publisher has permission to add reports and create folders for storing those reports. Role assignments are typically inherited from a parent node, but you can break permission inheritance by creating a new role assignment for a particular item. A user who is a member of the Content Manager role for one report may be a member of the Browser role for another report. To grant access to report server items and operations, follow these guidelines: 1. Review the predefined roles to determine whether you can use them as is. If you need to adjust the tasks or define additional roles, you should do this before you begin assigning users to specific roles. For more information about each role, see Using Predefined Roles. 2. Identify which users and groups require access to the report server, and at what level. Most users should be assigned to the Browser role or the Report Builder role. A smaller number of users should be assigned to the Publisher role. Very few users should be assigned to Content Manager. 3. Use Report Manager to assign roles on the Home folder (this is the top-level folder of the report server folder hierarchy) for each user or group who requires access. 4. At the site level, on the Site Settings page in Report Manager, create a system-level role assignment for each user and group using the predefined rolesSystem User and System Administrator. 5. Create additional role assignments as needed for specific folders, reports, and other items. Avoid creating a large number of role assignments. If you create too many, it will be difficult to keep track of the different permission levels for each user. For more information about best practices and techniques for creating role assignments, see Tutorial: Setting Permissions in Reporting Services. Note If you configured a report server to run in SharePoint integrated mode, you must set permissions on the SharePoint site to grant access to report server items. For more information, see Granting Permissions on Report Server Items on a SharePoint Site. Who Sets Permissions Initially, only users who are members of the local administrators group can access a report server. Reporting Services is installed with two default role assignments that grant item-level and system-level access to members of the local administrators group. These built-in role assignments local Administrators to grant report server access to other users and manage report server items. The built-in role assignments cannot be deleted. A local administrator always has permission to fully manage a report server instance. Because full permissions on a report server include item-level and system-level permissions, a local administrator is assigned to the following roles: System Administrator Role Content Manager Role Additional configuration is required before you can administer a report server instance on a local computer that runs Windows Vista or Windows Server 2008. For more information, see How to: Configure a Report Server for Local Administration on Windows Vista and Windows Server 2008 (UAC). How Permissions are Stored Role assignments and definitions are stored in the report server database. If you are using variety of client tools or programmatic interfaces, all access is subject to the permissions that are defined for the report server instance as a whole. If you are configuring multiple report servers in a scale-out-deployment, the role assignments that you define on one instance are stored in a shared database and used by all the other instances in the same scale-out deployment. Because role assignments are stored with the items they secure, you can move the database to another report server instance without losing the permissions you defined. Tasks and tools for Managing Permissions Use the following tools to manage role definitions and assignments. Tool Tasks Management Studio - Used to view, modify, create, and delete role definitions. How to: Create, Delete, or Modify a Role (Management Studio) Report Manager - Used to assign users and groups to roles. How to: Grant User Access to a Report Server (Report Manager) How to: Modify or Delete a Role Assignment (Report Manager) Regards, PS Regards, PS

Hi, thanks for your replies. But I'm afraid I already have a good knowledge of the information you posted, so this won't help me. Our users access the Reports by the http://localhost/reports url. We configured RS security that the "Domain Users" AD group is member of the Browser role and a defined "RS-Admin" AD group member of the Content Manager role. 3 named users of the domain are permitted to this group. So we are back to the beginning: Our Domain users can see the reports they are permitted for, but also can open the context menu (http://userftp.kfv.at/zd_itlo/rs_browser.png). But without having any permissions, so when the user selects "Delete" ("Löschen") the following notification is returned: "The permission granted to user 'domain\user' are insufficient for performing this operation. (rsAccessDenied)" ("Die dem Benutzer 'domain\user' erteilten Berechtigungen reichen zum Ausführen des Vorgangs nicht aus. (rsAccessDenied)")

This works for me, your mileage may vary. In an aspx page right after login, I store a cookie 'a' as true or false if the person is admin or not. MS may not support this, so use at your own risk. I ended up changing the ReportingServices.js(make backup) to remove the menu. Located in C:\Program Files\Microsoft SQL Server\MSRS10_50.MSSQLSERVER\Reporting Services\ReportManager\js Changes made: Right after the main variable declarations, add this code(found at elated.com): function get_cookie(cookie_name) { var results = document.cookie.match('(^|;) ?' + cookie_name + '=([^;]*)(;|$)' ); if (results) return (unescape(results[2])); else return null ; } Modify the function Clicked(event, contextMenuId): function Clicked(event, contextMenuId) { if (get_cookie('a') == 'true') {//<--my add if (!_onLink) { ... document.getElementById(_currentContextMenuId).firstChild.focus(); } }//<--my add } Also modify the function OpenMenuKeyPress(e, contextMenuId), same way: function OpenMenuKeyPress(e, contextMenuId) { if (get_cookie('a' ) == 'true' ) {//<--my add // Alt key was pressed if (e.altKey) { ... } } }//<--my add } The Arrow image can be hidden by modifying the ReportingServices.css(make backup) by changing this definition: Does not change based on admin user. Located in C:\Program Files\Microsoft SQL Server\MSRS10_50.MSSQLSERVER\Reporting Services\ReportManager\Styles .msrs-SelectedItem tr td img{ visibility:hidden; }/*was visible*/ HTH Scott

Hi hannons, nice customization, thanks a lot! :) My only problem with this solution is, that I don't know where to set the cookie. Whatever aspx file I open, each one looks like this: <%@ Page language="c#" Codebehind="Folder.aspx.cs" AutoEventWireup="false" Inherits="Microsoft.ReportingServices.UI.FolderPage" EnableEventValidation="false" %> <%@ Register TagPrefix="MSRS" Namespace="Microsoft.ReportingServices.UI" Assembly="ReportingServicesWebUserInterface" %> I searched the web for customizing these aspx-files, without success. [Edit] For my needs I removed the "get_cookie"-function and created this one: function showContextMenu()<br/> { if (document.getElementById('ui_btnNewFold')) { return true; } else { return false; } } Then I replaced if (get_cookie('a' ) == 'true') with if (showContextMenu()) Due to the fact that users finally are not permitted to move, delete,.. reports it's enough to check whether a user can create a folder (manager) or not (user)

Awesome! it solved my issue, too. Thanks a bunch.

Excellent stuff, I've taken this 1 step further and cleared out everything connected to changing stuff if "new folder" button doesnt exist. Hope it helps! I've added som .css and some java functions and changed some other, this is what I did: added css classes: .msrs-SelectedItemNoMenu tr td img{ visibility:hidden; } .msrs-SelectedItemNoMenu{ border:1px solid #FFDE00; margin:0px; padding:0px; height:25px; width:200px; } /*cursor:pointer;*/ .msrs-SelectedItemNoMenu td{ border:solid 1px #ffffff; padding:0px; cursor:default; } /*cursor:pointer;*/ .msrs-SelectedItemNoMenu a { text-decoration:none; color:#000000; font-size:10pt; } .msrs-SelectedItemNoMenu a:hover { text-decoration:underline; color:#000000; font-size:10pt; cursor:pointer;} .msrs-SelectedItemNoMenuEnd { } /*background-color:#FFDE00; }*/ td.msrs-listItem table.msrs-SelectedItemNoMenu { width:400px; } and in the javascript I added these functions function showContextMenu() { if (document.getElementById('ui_btnNewFold')) return true; else return false; } function hideManagementButtons() { // dont hide if we have management rights if (showContextMenu()) return; var elem = document.getElementById('ui_btnSettings'); elem.style.display = 'none'; elem = getNextElement(elem.parentNode); if (elem && elem.className == 'msrs-toolBarSpacerImage') elem.style.display = 'none'; elem = document.getElementById('ui_btnMove'); elem.style.display = 'none'; elem = getNextElement(elem.parentNode); if (elem && elem.className == 'msrs-toolBarSpacerImage') elem.style.display = 'none'; elem = document.getElementById('ui_btnDeleteItems'); elem.style.display = 'none'; elem = getNextElement(elem.parentNode); if (elem && elem.className == 'msrs-toolBarSpacerImage') elem.style.display = 'none'; } function getNextElement(elem) { do { elem = elem.nextSibling; } while (elem && elem.nodeType != 1); return elem; } and changed the following functions: function InitContextMenu(divContextMenuId, selectedIdHiddenFieldId, contextMenusIds, searchTextBoxID, defaultSearchValue ) { ResetSearchBar( searchTextBoxID, defaultSearchValue ); //added this if (!showContextMenu()) { hideManagementButtons(); return; } //end ........... } function Clicked(event, contextMenuId) { // added this if (!showContextMenu()) return; // end .......... } function OpenMenuKeyPress(e, contextMenuId) { .... if (keyCode == 40 && showContextMenu()) // added the showcontextmenu ... } function ChangeReportItemStyleOnFocus(id, currentStyle, unselectedStyle) { // added if (!showContextMenu() && currentStyle == 'msrs-SelectedItem') currentStyle +='NoMenu'; // end ... } function ChangeReportItemStyleOnMouseOver(id, currentStyle, unselectedStyle) { // added if (!showContextMenu() && currentStyle == 'msrs-SelectedItem') currentStyle +='NoMenu'; // end .... }

Protected Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.Load 'use this in the codebehind of a page that points to the reportmanager url 'I use this because my reportmanager actually exists inside a virtual directory in a web app 'make this .aspx page the default for the wrapper web app 'Get the user name without the server name(using local users and groups) Dim sUser as String = Mid(HttpContext.Current.User.Identity.Name, InStr(HttpContext.Current.User.Identity.Name, "\", CompareMethod.Text) + 1) 'check if admin isAdmin = HttpContext.Current.User.IsInRole("BUILTIN\administrators")'your group may be different 'write cookie Response.Cookies("a").Value = isAdmin Response.Cookies("a").Expires = Now.ToUniversalTime.AddDays(30.0) 'go to your reportmanager url Response.Redirect("<your reportmanager url>", False) End Sub