Search code examples
reporting-servicesssrs-2019

In Ssrs 2019, how are TaskMask and RoleFlags to be interpreted?

If you do SELECT * FROM Roles WHERE 1=1; in the Ssrs database catalog, you see stuff like this:

Output in SSMS of the above SELECT

How does one interpret the values in "TaskMask" and "RoleFlags"? I've found partial information here and there across the 'Net, but nothing from Microsoft.

Solution

  • There's nothing really easily discoverable out there on the 'Net, so I went and decompiled the ReportingServicesLibrary.dll (I used "dnSpy") and searched until I found what I was looking for in the Microsoft.ReportingServices.Library.AuthzData class.

    I discovered the following about the "Roles" table in the Ssrs database catalog:

    1. The values stored in Roles.RoleFlags are actually just underlying values of the SecurityScope enum. They indicate which enum to use to interpret TaskMask.
    2. The values stored in Roles.TaskMask correspond to the members of either the CatalogItemTaskEnum, CatalogTaskEnum, or ModelItemTaskEnum enums. A "1" means the member/setting is "on" and "0" means it's "off. Reading the string from left-to-right, each position (0-based) corresponds to the enum member's underlying value. If a position is missing on the right end, it's assumed that the setting is "off".

    Warning

    If you are going to use Sql to change a Role's TaskMask, don't UPDATE it directly. Instead, use the SetRolePropertiesAndInvalidatePolicies sproc. That takes care of setting the SecData.NtSecDescState column to 1 on all the existing policies that are linked to the Role (which marks the data as "dirty"). The next time the Ssrs ReportServer service checks for policy updates, it'll update the serialized (AceCollection) data stored in the SecData.NtSecDescPrimary column for all "dirty" records in that table---for your Authorization Extension. (That SecData data is what an Authorization extension is presented with when checking permissions/access.)

    E.g.

    Consider the built-in "Folder Viewer" role. Since RoleFlags is "0", that corresponds to SecurityScope.CatalogItem and means TaskMask is interpreted using CatalogItemTaskEnum. Next, since TaskMask is "000000100000000000", that means the they have the ViewFolders "task" permission, because the "1" is at position/index 6 (zero-based) in the TaskMask string, and the underlying value of CatalogItemTaskEnum.ViewFolders is 6 .

    Code definitions

    internal enum SecurityScope
{
    CatalogItem,
    Catalog,
    ModelItem
}

internal enum CatalogItemTaskEnum
{
    Invalid = 268435455,
    ConfigureAccess = 0,
    CreateLinkedReports,
    ViewReports,
    ManageReports,
    ViewResources,
    ManageResources,
    ViewFolders,
    ManageFolders,
    ManageSnapshots,
    Subscribe,
    ManageAnySubscription,
    ViewDataSources,
    ManageDataSources,
    ViewModels,
    ManageModels,
    ConsumeReports,
    Comment,
    ManageComments
}

internal enum CatalogTaskEnum
{
    Invalid = 268435455,
    ManageRoles = 0,
    ManageSystemSecurity,
    ViewSystemProperties,
    ManageSystemProperties,
    ViewSharedSchedules,
    ManageSharedSchedules,
    GenerateEvents,
    ManageJobs,
    ExecuteReportDefinitions
}

internal enum ModelItemTaskEnum
{
    Invalid = 268435455,
    ViewModelItems = 0
}

    They've added items over the years. E.g. CatalogItemTaskEnum.Comment didn't exist in Ssrs2012.