Is there a role in SCM that only allows extracting reports (for example, of users and groups)?

Harvest Software Change Manager all versions

Harvest implements "Roles" by creating groups of users called "User Groups" and granting those "User Groups" the access needed to perform specific functions.  Harvest includes several pre-packaged user groups, but does not come with one that only allows reporting.

You can create a user group that limits it's members primarily to reporting in this way:

1. Create two new user groups.  One named "Reporting Only" (or any name you prefer) will contain the users who will only be permitted to create reports.  The other named "Other Public" (or any name you prefer) will contain all other users in the Harvest database.
   
   
2. Use the SQL report you find in this KB article, Finding all access permissions for a user group, to locate all access permission lists where the "Public" user group has been granted access.  For each of these access lists, remove the "Public" user group and add the "Other Public" user group.
   
   
3. Add this "Reporting Only" user group to the SCM-level "View Project Access" list.

This method provides access to all system-level and BIRT reports for projects, states, and packages, but does not provide broker-level or administrator level reports.  Only membership in the Harvest "Administrator" group will grant that level of access.  While this is the minimum level of access needed to run these reports, the users in this group will have other permissions as well.  According to documentation,

"View Project Access" - Defines who can view the properties of all projects inCA Harvest SCM. User groups with View Project access can also view the properties of all objects (states, processes, packages, package groups, and views) in the project.

This means the "Reporting Only" user can login to Workbench and navigate around the projects and states, and see what's there, but without membership in other groups that would grant update permissions, they can only see and not make changes.

There are two KB articles containing SQL queries that will be helpful in setting this up:

Finding all access permissions for a user group

This one lists all access permissions for a specific user group that you will specify in the SQL query.

Finding which permissions are granted to each user

If you need for your "Reporting Only" users to be able to run administrator-level reports such as listing user or repositories, or a complete access list, this cannot be done without granting them "Administrator" level access to Harvest.  In this case, an external reporting tool and custom SQL queries would be the best way to provide the reporting capability needed while restricting access to other functionality within Harvest.

For more information about granting access to objects in the Harvest system see "Control Object Access"