A. SCCM has very granular security capabilities, including the ability to grant users access to only specific reports. First, make sure you have at least one Report Point site server in your environment. On the Report Point site server, there will be a group called SMS Reporting Users. Add users you want to be able to run reports to this group.
I prefer to create a domain global group named SMS Reporting Users and add that domain group into each local SMS Reporting Users on each Reporting Point to simplify management. This way, if additional users need to run reports, you can just add those users to that domain global group.
If users want to run reports from the SCCM console and not the SCCM website, ensure the SMS Reporting Users domain group also has read access to the Site object class for all instances. If users should access only specific reports, give those users read access to only those specific report instances. As you can see below, I gave the reporting group access to only two reports. When I go to the website, I see only those two reports. Reports are cumulative, so you can give different users different rights, and when they look at reports they'll get the sum of all reports available to them and any groups they're in.
For example, I gave user John access to one additional report. Now when I look, I see the following, which is the combination of the SMS Reporting Users and John's permissions.