Products Affected

All ELM 5.x, ELM 6.x writing to SQL 2000, MSDE 2000, SQL 2005, SQL 2008(R2), or All SQLEXPRESS versions

Introduction

Windows default security settings do not allow domain users (non administrators) to access the required server-based resources required to run reports in ELM Publisher reports. The user will receive Access Denied messages until the required permissions are applied to each sub-system.

It is recommended that a domain user group be established and used to configure security settings. The administrator may add or remove users from the domain group in order to permit or deny access. The following instructions use the domain\Domain Users group. Replace the generic references domain\Domain Users with the domain user group specific to your environment in order to provide access to selected accounts.

*SQL Server 2000

Skip to step 2 if you are not using Windows Integrated security for access to the ELM Database.

  • Permit read-only access to the ELM Database. This allows the user to run reports that query the database.
  • Add the group domain\Domain Users to the SQL Server Logins.
  1. Using the SQL Server Enterprise Manager select the Security | Logins container.
  2. Choose Action | New Login from the menu. Give the group db_datareader access to the primary ELM database, by default ELM_PRIMARY.

KBA - SQL Server 2000

*SQL Server 2005/2008(R2)

Skip to step 2 if you are not using Windows Integrated security for access to the ELM Database.

  • Permit read-only access to the ELM Database. This allows the user to run reports that query the database.
  • Add the group domain\Domain Users to the SQL Server Logins.
  1. Using the SQL Server Enterprise Manager select the Security | Logins container.
  2. Right Click Logins | New Login from the menu. Give the group db_datareader access to the primary ELM database, by default ELM_PRIMARY.

KBA - SQL Server 2005-2008

DCOM Config

Permit the user to activate ELM COM objects. This allows the user to connect to the ELM Server, a requirement to run reports.

  1. Start the DCOM configuration utility by going to Start | Run.
  2. 2.Enter dcomcnfg.
  3. On Windows XP and Windows Server 2003 choose the Component Services | Computers container, select My Computer then choose Action | Properties from the menu.
  4. Click on the Edit Default… button in the Launch and Activation Permissions area
  5. Add DOMAIN\Domain Users with Local Activation and Remote Activation permissions

KBA - DCOM Permissions

File System

Ensure the user accounts have Modify access to the ELM Server reports Temp folder located under the ELM installation folder. By default this is:

c:\Program Files\ELM Enterprise Manager\Website\Reports\Data\Temp.

You may add the group domain\Domain Users either to the security descriptor for this folder, or to the local machine\Users group, depending on the security strategy and requirements for your environment.
ELM Server

The ELM Server default security grants the built-in group Everyone Read access. The default operating system permissions do not allow Everyone access. After implementing the changes, generally you will not have to change the default permissions for the ELM Server. You should however, check the ELM Server permissions to ensure the group has Read access. To check the permissions, from the ELM Management Console select the ELM Server computer name, choose Action | Security from the menu.
See Also

Another approach to providing specific limited access is described in the following article: Logon failed message reported when running ELM Reports Manager reports.

Revision: 2.1

Last Modified:  12/1/2010

Last Reviewed: 12/1/2010

Article Type:  Security