Management Reporter Security: The Basics

I have previously posted about the tendency to not think about security until the end of a project. This is just as true with Management Reporter as it is with Dynamics GP and SQL Reporting Services. However, as with anything else, thinking about security early in the report design process can be critical to efficient and successful implementation.

Let’s break down Management Reporter security in to three basic areas:

  • Company access, validated with your Dynamics GP credentials
  • Management Reporter access, controls the functions a user can complete
  • Report access, controls access to reports, folders and reporting units

Let’s start from the beginning, with company access. Within Management Reporter, you can control which companies a user can access. This would apply to those users accessing the Report Designer.

Management Reporter | Security | Users

Right-click | New User or Modify (to modify existing user)

Company Access tab

Users granted access to a company in Management Reporter can select the company as default when accessing the Report Designer. Company access also can be controlled by security groups (Management Reporter | Security | Groups) and assigned to the user using the Groups tab. Please note if a user is assigned to the Viewer security role, the Company Access tab is not relevant and the company access cannot be enabled.

Users given access to a company in Management Reporter will be prompted to enter the credentials when accessing that company. Users will need to use their Dynamics GP credentials to access the company, as this is how Management Reporter confirms the user has access to the corresponding Microsoft Dynamics GP database.

The second layer of security mentioned above, Management Reporter access, also is controlled in Management Reporter through Security | Users.

Management Reporter | Security | Users

Right-click | New User or Modify (to modify existing user)

General Tab

You can assign a selected Windows user—use the Search button to locate a domain user—to a specific role in Management Reporter. This, in turn, controls what they can or cannot do. The available roles are:

  • Viewer—View reports published to the Reports Library
  • Generator—Generate and export reports
  • Designer—Create building blocks (rows, columns, trees and report definitions) as well as generate and view reports
  • Administrator—Complete all activities in Management Reporter

Incidentally, the licensing for Management Reporter generally follows two different categories of users:

  • Administrator/Designer users—Limits number of users that can be configured as administrators or designers
  • Viewer/Generator—Limits number of users that can be configured as viewers or generators

The final element of security outlined above is Report Access. This can be controlled in three key ways:

  • Building block security
  • Reporting tree unit security
  • Report library security

Building block security is the ability to protect a building block from edits; a password is required to make changes to the building blocks. This security is enabled by opening a building block (row, column, tree or report definition) and clicking the Protect/Unprotect icon.

Open building block

Click Protect/Unprotect icon

Enter and confirm password to apply protection to prevent edits

Once a building block is protected, users will be prompted to enter the password in order to open the building block for editing. If no password is entered, the building block is opened in read-only mode.

The second method to control report security is through Reporting Trees.

Open Reporting Tree

For selected reporting unit, navigate to Column L—Unit Security

Click to open Unit Security window

Users and groups entered on a reporting unit will be restricted to viewing only the units to which they are assigned. This will affect the user’s ability to view the different reporting units in the Report Viewer when a report is published.

The final aspect of report security is the actual Report Library security. This controls the folders and individual reports a user can see in the Report Library. It is important to note administrators can see all reports in the Report Library.

Report Viewer

Right-click on Library or other subfolder | Report Library Permissions

Assigning users or groups to a folder grants them access to that folder and its contents. For example, users assigned to the Report Library root folder automatically will gain access to all subfolders and reports. You also can right-click on an individual report within the Report Library and grant access to a specific report.

In my experience, it is easier to create folders for each report group/security group and assign the appropriate permissions to the folders. Then, any report you publish to a selected folder will automatically inherit the permissions from the folder. Within the Report Library permissions window, you can control the specific View, Edit, Create and Delete permissions for the selected folder/report.

P.S.:  After setting up your folders in the Report Library, don’t forget to update the output path on the Report Definition to the correct folder within the Report Library!

For more information on Management Reporter security, or for assistance in configuring security for Management Reporter, contact us at gpsupport@bkd.com.

14 thoughts on “Management Reporter Security: The Basics

  1. avatarAmanda

    Hi Christina,

    In your blog you mention that you can assign permissions to an individual report but I am not seeing where you can do that. When I right-click on a report in the Report Library, I get an option Report Library Permissions but this updates the entire folder with the permissions that I assign instead of just updating the one report. Any guidance you can provide would be helpful. THanks!

  2. avatarChristina Phillips

    When you are in the Reports Library Permissions window, make sure you have selected an individual report in the top portion of the window. Thanks!

  3. avatarTerry

    Hello – great article! Helps a lot.

    Here’s my question – I’d like to allow many users to be able to generate reports from Designer (with ability to change reporting period and year), but I don’t want them to “check out” the report or be able to modify it in any way (other than selecting the reporting period/year).

    Is it possible to provide only read-only access in designer?

    Thanks!

  4. avatarSheila Jefferson-Ross

    Hi Christina,

    Great article! What are the effects of security in the web viewer? What level of security must they have to do the following?

    – Refresh a report in their web viewer
    – Publish the refreshed report from the web viewer

    Thank you,
    Sheila

  5. avatarBrad Johnson

    I’m trying to assign Viewer rights to individual reports for a Sales Mgr and a Marketing Mgr to their respective cost statements. I can see the properly allocated rights in Report Viewer, but when I send the users the links in an email, they can both access both reports. How do I control that other than sending only 1 link to each person.

  6. avatarIrfan

    Can I disable OR un-check the “permission granted” option under any role if I have environment of multiple databases under one instance. example I have one instance and under one instance have two databases, Database A and Database B, I dont want to give access or view to MR Administrator to view or edit to Company Access? coz problem is MR tables have under one database Dynamics.

    Thanks

    Irfan

    1. avatarChristina Phillips

      Hi-

      I am not sure I understand your question. Are you referring to company access (GP), if so you would control that through Dynamics GP (and the ability to edit it). In MR, even an administrator will be limited to the companies that they have access to in GP.

      -Christina Phillips

  7. avatarElsa Williams

    I’m having an issue where security for reporting units is being completely ignored??? The user is a viewer and is entered in only 3 of 50 or so reporting units in a tree, and the user still sees the entire link via browser. They are on build 11. Is anyone else having this issue?

    1. avatarChristina Phillips

      We haven’t seen that particular issue, but you may have better success troubleshooting by posting on the Microsoft Dynamics community message boards where there can be some back and forth discussion of the particulars 🙂

    2. avatarRob Klaproth

      You have to assign security to all of the units not just the ones you want the user to be able to access. So all the ones you don’t want them to access you need to assign to a different user or group who should be able
      To access the other units.

  8. avatarLynda K

    Is there a security report that can be generated to show all users, whether they are active or disabled, shows what level of access they have (designer, generator) and what companies they have access to?

  9. avatarMounika

    we are on AX2012 R3 CU11

    Accounting manager role in AX has designer permissions in MR. lets say if we have 10 accounting managers in our system , I need only one user “user A” to be a designer in AX.. How do we control this..? when i open security in MR, i can’t edit the user role in MR to be a viewer/generator who is having designer role as you showed in second screenshot.

    I also have a requirement that the user should just be able to be a designer in MR without accountant/accounting manager role in AX. So I created custom role “MR designer” with following privileges.

    LedgerBalanceSheetDimMaintain
    LedgerBalanceSheetDimPrintGenerate
    LedgerFinancialJournalReportBGenerate

    None of my two requirements are satisfying the way I am going fwd..! is it that we cant customize it or anything wrong in the way I am going forward

Leave a Reply

Your email address will not be published. Required fields are marked *