Thursday, August 12, 2010

User with Report Operator Role in SCOM R2 gets error ‘Loading reporting hierarchy failed. The permissions granted to user 'xxxxx' are insufficient for performing this operation’

When a new User Role is created in SCOM R2 based on the ‘Report Operator’ and some or more users are added, they can get this error when they try to access the SCOM R2 Reports:


Date: xxxxxxxxxxxxxx
Application: System Center Operations Manager 2007 R2
Application Version: 6.1.7221.0
Severity: Error
Message: Loading reporting hierarchy failed.

System.Web.Services.Protocols.SoapException: System.Web.Services.Protocols.SoapException: The permissions granted to user 'SYSTEMCENTER\test' are insufficient for performing this operation. ---> Microsoft.ReportingServices.Diagnostics.Utilities.AccessDeniedException: The permissions granted to user 'SYSTEMCENTER\test' are insufficient for performing this operation.
   at Microsoft.ReportingServices.WebServer.ReportingService2005Impl.ListChildren(String Item, Boolean Recursive, CatalogItem[]& CatalogItems)
   at Microsoft.ReportingServices.WebServer.ReportingService2005.ListChildren(String Item, Boolean Recursive, CatalogItem[]& CatalogItems)
   at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall)
   at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
   at Microsoft.EnterpriseManagement.Mom.Internal.UI.Reporting.ReportingService.ReportingService2005.ListChildren(String Item, Boolean Recursive)
   at Microsoft.EnterpriseManagement.Mom.Internal.UI.Reporting.ManagementGroupReportFolder.GetSubfolders(Boolean includeHidden)
   at Microsoft.EnterpriseManagement.Mom.Internal.UI.Reporting.WunderBar.ReportingPage.LoadReportingSubtree(TreeNode node, ManagementGroupReportFolder folder)
   at Microsoft.EnterpriseManagement.Mom.Internal.UI.Reporting.WunderBar.ReportingPage.LoadReportingTree(ManagementGroupReportFolder folder)
   at Microsoft.EnterpriseManagement.Mom.Internal.UI.Reporting.WunderBar.ReportingPage.LoadReportingTreeJob(Object sender, ConsoleJobEventArgs args)

Even though it might seem strange there is a good explanation for it, and (gladly) a good solution. Basically it all comes down to read, read and read. Also known as RTFM

Let’s take a few steps back and see how this error message came to be:

  1. User Test is created in AD;
  2. User Test is granted the User Roler Report Operator in SCOM R2
  3. User Role is in place so we’re ready to rock! Or aren’t we forgetting something now…
  4. User Test starts SCOM R2 Console and want to open the Reporting section. Will it work? NO, it won’t:

But WHY doesn’t it work?

Hmm. Let’s take a step back, at number 3 actually where the new User Role is being shown. Lets check it out!

  1. Double click on the newly created User Role and go to the tab Identity
  2. Wow! But that explains a lot. So lets continue and hit the button Copy. Also notice the nice link on the bottom (More about configuring the reporting role). It will direct you to the SCOM R2 Helpfile explaining how to add AND configure a Report Operator Role… :)
  3. Open the webpage of the SSRS instance hosting the SCOM R2 Reporting component (http://servername/myreports);
  4. Go to the tab Properties and hit the button New Role Assignment;
  5. Paste the earlier copied ID and add the Roles as needed (Browser and My Reports will suffice most of the times);
  6. Hit OK and close IE. Now user Test can access the SCOM R2 Reports:

However, there are some issues to reckon with. In many environments it is not appreciated that an additional Report Operator is able to access ALL SCOM R2 Reports. Many times a scoping is required there as well.

Update 13-08-2010: This posting describes in detail how to arrange this.


Pete Zerger said...

This was also already documented in great detail back in 2007 by Mike Betts.
Securing Report Access in Operations Manager 2007 -

Marnix Wolf said...

Hi Pete.

Thanks for your comment. In the meanwhile (13th of August 2010) I have published a similar posting, toi be found here: