Let's say I set a subscription report including only the link to the report. Sometimes these emails or only the links from these emails are forwarded, and I want to make sure that only those who I granted access can view the report. So my question is whether
a person can view the report clicking on the link
if they do not have any right neither on the report nor on the data source? (E.g. some bad guy 'steals' the link)
if they do not have any right on the report but have right on the data source (because it is a shared DS used in other report they have right on)?
The answer for your two question is "no"! To access a report through the link, he needs role-based permission to access the Report Server first, and then have
SQL Server Reporting Services uses role-based authorization and an authentication subsystem to determine who can perform operations and access items on a report server. Reporting Services includes predefined roles that you can assign to users and groups
to provide immediate access to a report server. Content
Manager, Publisher, and Browser are examples of predefined roles.
Reporting Services also uses role-based security to control access to items(such as a Report) that are stored on a report server.
Microsoft is conducting an online survey to understand your opinion of the Technet Web site. If you choose to participate, the online survey will be presented to you when you leave the Technet Web site.