Find a nice blog on reports security:
{All credit goes to the owner of the blog}
In Microsoft Dynamics CRM, reports can be set as Viewable by User or by Organization. To see this setting in Microsoft Dynamics CRM 2011, navigate to WorkplaceàReports, select a report and click Edit on the Ribbon. The setting is usually on the Administration tab.
This setting can be a little bit difficult to understand because changing the report to “Viewable by Individual” may not automatically secure it to the user depending on the logged in user’s security role. So, let’s take some time to understand the differences between the two options.
Setting a report to be viewable by the Organization means that all users can see it, meaning the report is essentially “Organization Owned.” The exception to this is in some implementations, the out-of-the-box reports are owned by “System” which is not a user in CRM. These reports can only be seen by users whose Reports security is set to the Organization. If you change the security role so that the user cannot see all reports in the Organization, these reports disappear. Assigning the report to a user in CRM makes that report potentially visible depending on the user’s security role.
Setting a report to be Viewable by the Individual does not “hide” it from everyone, but rather makes it subject to each user’s access privileges. So if users have read access to reports in their business units, they will see all reports that are Viewable by Organization along with reports that are Viewable by Individual where the owner of the report is in their business unit.
To completely secure reports to an individual, you would need to change read privileges on all security roles to User only like in the example above, and in that case, a report either needs to be owned by the user or explicitly shared with the user in order for the user to see it.