-
Title
How to give users access to the MessageStats Web Reports or prevent users from accessing the reports -
Description
How can I give certain users access to the reports and prevent other users from accessing them.
-
Resolution
There are two types of security that can be implemented, Role Based Security and File System Based Security
Role Based Security
Role-based security provides an initial layer of security for your reports. Three local security groups, each with specific permissions, are created when MessageStats Reports is installed:
• Web Report Administrators
• Web Report Authors
• Web Report Users
The effect of role-based security is uniform for all reports. All three security groups have access to the report site and to all reports. The roles (Administrator, Author, and User) provide different permissions that can restrict the ways reports can be manipulated.
The default membership to these security groups places administrators in the Web Report Administrator role, and all others in both the Web Report Authors and Web Report Users roles.
To customize the memberships, you can add or remove users from the default groups. Administrators can specify which users belong to which roles by modifying their membership in these local groups. The role-based security scheme is easier to manage than the file-system permissions security scheme, as the changes to these security groups immediately affect all reports.
Note: To restrict the reports to specific users the \Everyone group has to be removed from the Web Report Authors and Web Report Users groups.
To find the actions associated with each role go to the MessageStats report and select the Help Menu and search for Role Based Security.
File-System Based Security
In addition to the Web Report security roles, you can set an additional level of security using a folder-based permissions scheme. At minimum, the role-based security scheme allows all roles to view all reports.
Alternately, a folder-based permission scheme can restrict the available reports to some users. Explicit permissions are applied on a per-group or per-user basis, and assigned to individual folders and the reports they contain. You can configure the settings so that different groups, such as executive management, the help desk, and Exchange administrators can see different report nodes and reports.
System administrators can create more sophisticated security schemes by modifying the folder permissions in the file system on the web server. Report files and folders are normally located in the following path: c:\inetpub\wwwroot\MessageStatsReports\Reports. By restricting the reports that are available to all users, you can protect sensitive analytical data from users that do not require that information.
When using a folder-based security scheme each user accessing the Web Reports needs to be a member of the Web Report Users role.
Note: The top level MessageStats Reports folder and the My Reports folder can not be restricted. The top level folder contains the Corporate Exchange At A Glance report and will be visible to all users. The My Reports folder belongs to each user and as such cannot be removed.
To restrict access to any other folder please do the following:
- On the MessageStats server create new local groups, one for each set of users that require access to different sets of reports
- Add the necessary users to each appropriate group
- Create a central folder for each set of users by opening the MessageStats Reports and creating a new folder that will hold the reports the applicable users
- Copy or move the required reports to each of the new folders you created in step 3
- On the MessageStats server browse to the following directory: C:\inetpub\wwwroot\MessageStatsReports\Reports
- Right click a folder that begins with '#' and select Properties
- Select the Security tab
- Add the local groups you created in step 1
- Remove all Allow permissions and check Deny for List folder contents for each of the new local groups you created
- Repeat steps 6-9 for each of the folders that begin with '#'
When a user who is a member of one of the local groups you created in Step 1 accesses the MessageStats reports through a web browser they will only see the folder (and the reports in that folder) to which you did not check Deny List folder contents.