Hi, I sat in on a meeting today about ssrs security.   It was with a company that bought our company and is moving away from a very expensive competitor of ssrs so i'm assuming for this discussion they have a very current enterprise product. 

The gist of the meeting went like this...

Before they get too involved with the neat stuff MS offers for security, they want to divide responsibility as follows:

1) data level security in sql server tables

2) role level security in ad (eg publisher, browser etc)

3) functional (eg accts payable, manufacturing etc) security in ad either separately from # 2 or "permutated" across

I told someone offline that I would check into the community's feeling on #2 and #3.  I told them my reason was that normally admins get all roles anyway, and specific job titles normally get just browser and report builder.  Does the community have a response?

My environment follows what the company that just bought yours does.  The reason being is with implementing groups in AD, i can turn the management of those groups over the Service Desk, Management, or systems that automate group population.  This way as people come and go, my team doesn't get bothered to make a ton of adjustments.  While nesting security groups can seem daunting at first, if properly implemented, it functions like a charm.

• Proposed as answer by Qiuyun YuMicrosoft contingent staff, Moderator 50 minutes ago

Hi ,

I completely agree what JJordheim said. To explore the different roles and permission level at the report server end .Please follow the below link

http://bhushan.extreme-advice.com/user-roles-and-permissions-in-ssrs/