Later, I found the report was called from code, either by SRSReportRun or SrsReportRunController. And there's not menu items tied to that report, which means the role doesn't have the menu item of the report in its security enty point. After adding a menu item of that report and adding that menu item to the role, that user can run report well.
Seems not that complicated, but why it bugs me for many days? The reason is that I always thought if a user can open a report, that user must have privilege to execute that report, but I was wrong. User can see the parameters form, enter query criteria, but that doesn't mean the user has privilege to show data in that report. Cause so far, the security validation for report has not worked yet, not until user hits the button to render data.
To prove my conclusion, I rolled back to remove the menu item of the report I added, and I added the table of the report needs to load to that role permission. Then I executed the report with that user, everything is good.
- So when setting security, the menu item entry point actually does 2 things,
- Enable the user of that role to see the menu item in menu.
- Enable the user of that role to operate with the data to which the object linked that menu item needs. Like this below.
- If there's no menu item to that object, user is still able to execute that object from code, as long as the role of that user has permission to operate the data table of that object.