Thursday, March 22, 2012

Does RS cache AD groups?

Hi,
I've run into a few problems, and I think RS may be to blame. I was hoping
one of the experts out there would be able to offer some input.
I set up role-based security in RS as follows:
Report 1, 2, and 3: all authenticated users assigned browser role
Reports 4, 5: a select group (AD security group named
"ReportingCommissions") assigned browser role
I added a new user to the ReportingCommissions group via Active Directory
Users and Groups and replicated both domain controllers.
After that, the user was not able to see report 4 or 5 in his list of
reports in the folder. If I added his exact Windows username to report 4 as
a browser, he can see it immediately.
Rebooting the server that houses the RS web app did the trick - the user can
now see both folders as a member of the group ReportingCommissions.
This leads me to believe that RS is somehow caching the list of members of
each Windows security group assigned to roles in RS. I can see why this
would be done, as it would slow folder browsing down to enumerate these
groups for every report in the current folder. Whereas matching up a
username should be much quicker, so there is no need to cache that info.
Is my assumption correct, or am I missing something? If the group
memberships are being cached in RS, can you tell me for how long? Is there
any way to clear that cache or add to a group's membership within the db?
Restarting the ReportServer service did not help, but I didn't try
restarting any of the IIS-related services.
--
Regards,
Jake Marx
MS MVP - Excel
www.longhead.com
[please keep replies in the newsgroup - email address unmonitored]Has anyone run across this before? Any answers from MS? Thanks in
advance...
--
Regards,
Jake Marx
MS MVP - Excel
www.longhead.com
[please keep replies in the newsgroup - email address unmonitored]
Jake Marx wrote:
> Hi,
> I've run into a few problems, and I think RS may be to blame. I was
> hoping one of the experts out there would be able to offer some input.
> I set up role-based security in RS as follows:
> Report 1, 2, and 3: all authenticated users assigned browser role
> Reports 4, 5: a select group (AD security group named
> "ReportingCommissions") assigned browser role
> I added a new user to the ReportingCommissions group via Active
> Directory Users and Groups and replicated both domain controllers.
> After that, the user was not able to see report 4 or 5 in his list of
> reports in the folder. If I added his exact Windows username to
> report 4 as a browser, he can see it immediately.
> Rebooting the server that houses the RS web app did the trick - the
> user can now see both folders as a member of the group
> ReportingCommissions.
> This leads me to believe that RS is somehow caching the list of
> members of each Windows security group assigned to roles in RS. I
> can see why this would be done, as it would slow folder browsing down
> to enumerate these groups for every report in the current folder. Whereas
> matching up a username should be much quicker, so there is no
> need to cache that info.
> Is my assumption correct, or am I missing something? If the group
> memberships are being cached in RS, can you tell me for how long? Is
> there any way to clear that cache or add to a group's membership
> within the db? Restarting the ReportServer service did not help, but
> I didn't try restarting any of the IIS-related services.|||I got a response for you from Tudor Trufinescu, a dev lead. He says he's
answered this often enough that it was time to create a blog entry. It's at
http://blogs.msdn.com/tudortr/archive/2004/10/27/248846.aspx and it mentions
a KB article as well.
--
Sincerely,
Stephen Dybing
This posting is provided "AS IS" with no warranties, and confers no rights.
"Jake Marx" <msnews@.longhead.com> wrote in message
news:eBAH5z3uEHA.3976@.TK2MSFTNGP09.phx.gbl...
> Has anyone run across this before? Any answers from MS? Thanks in
> advance...
> --
> Regards,
> Jake Marx
> MS MVP - Excel
> www.longhead.com
> [please keep replies in the newsgroup - email address unmonitored]
>
> Jake Marx wrote:
>> Hi,
>> I've run into a few problems, and I think RS may be to blame. I was
>> hoping one of the experts out there would be able to offer some input.
>> I set up role-based security in RS as follows:
>> Report 1, 2, and 3: all authenticated users assigned browser role
>> Reports 4, 5: a select group (AD security group named
>> "ReportingCommissions") assigned browser role
>> I added a new user to the ReportingCommissions group via Active
>> Directory Users and Groups and replicated both domain controllers.
>> After that, the user was not able to see report 4 or 5 in his list of
>> reports in the folder. If I added his exact Windows username to
>> report 4 as a browser, he can see it immediately.
>> Rebooting the server that houses the RS web app did the trick - the
>> user can now see both folders as a member of the group
>> ReportingCommissions.
>> This leads me to believe that RS is somehow caching the list of
>> members of each Windows security group assigned to roles in RS. I
>> can see why this would be done, as it would slow folder browsing down
>> to enumerate these groups for every report in the current folder. Whereas
>> matching up a username should be much quicker, so there is no
>> need to cache that info.
>> Is my assumption correct, or am I missing something? If the group
>> memberships are being cached in RS, can you tell me for how long? Is
>> there any way to clear that cache or add to a group's membership
>> within the db? Restarting the ReportServer service did not help, but
>> I didn't try restarting any of the IIS-related services.
>|||Stephen Dybing [MSFT] wrote:
> I got a response for you from Tudor Trufinescu, a dev lead. He says
> he's answered this often enough that it was time to create a blog
> entry. It's at
> http://blogs.msdn.com/tudortr/archive/2004/10/27/248846.aspx and it
> mentions a KB article as well.
Thanks, Stephen. I thought I had waited more than 15 minutes, but I was
probably just being impatient. I don't think our security group updates
will be that frequent, so I'll probably have users wait the 15 minutes (or
restart the w3 publishing service if we can't wait).
Thanks again - I appreciate the followup.
--
Regards,
Jake Marx
MS MVP - Excel
www.longhead.com
[please keep replies in the newsgroup - email address unmonitored]

No comments:

Post a Comment