cancel
Showing results for 
Search instead for 
Did you mean: 

Power Bi Report Server Admin security issue

I am running an instance of Power Bi Report server on a server here with the following versions.

  • Report server - Version 1.4.7024.16477 (January 2019) 
  • Sql Server 2017

I have found a scenario where if i remove a user's System Adminstrator access, they are still able to access the "Site Settings" section oif the portal, and from there, can see all the sections, General, Branding Schedules and Security sections. Most of the pages take steps to secure itself against this, for example even though the user can see Branding, it protects itself against the users by hiding all the buttons.

Sys User Branding.PNG

For the Security section how ever, these users are able to access the page, and interact with it as if they had the System Adminstrator role.

 

I have checked the Reporting Database for the dbo.UserRolePolicies table and it reflects what is shown through the UI, so the non-admin users in the Portal also do not show as an Admin in the database.

 

Is there some system config issues i am missing or is the a bug with security in the portal itself?

Status: New
Comments
Moderator

Hi @Cosmal

 

Power BI report server uses two part of role-based security (Item-level roles and System-level roles) to grant user access to a report server. In your scenario, is the user in the local administrator group? 

 

I tested with Power BI report server May 2019 version 15.0.1102.371, if we assign a user (which isn't in the local administrator group) with Viewer role on root node (the Home folder), the user will not see the Site Settings button. Which item-level role do you assign to the user? Please update Power BI report server to May version then test again. 

 

Best Regards,
Qiuyun Yu 

Frequent Visitor

Thanks for the reply @v-qiuyu-msft i'll detail the scenario more, as it was working the way you describe.

My scenario is as follows:

  1. User XYZ is a "System Adminstrator" for the site itself, and only has the "My Reports" permission for Home
  2. User XYZ has access to the Site's Security page and can set permissions
  3. I remove User XYZ's "System Adminstrator" role from the site itself, at the site level, they are now neither an Admin or a User. Their "My Reports" permissions remain untouched.
  4. User XYZ is still able to access the Site level Security section and make changes.

Would it make a difference if User XYZ is a member of the Admin group on the Windows Server host? I can't find a specific reason that a user without the System Adminstrator role can access that page. I am not in control of when we can update the site to the May version, but if it does actually resolve the issues i might be able to push for it.

Frequent Visitor

Any other feedback on this? I am running into a number of issues with the System level permissions (Admin and Users) and i am wondering on the best route to get support on this. I even though my environment is only a sandbox one, i would prefer to not have to wipe the database and recreate it to try and resolve this.

Moderator

Hi @Cosmal

 

By default, users who are members of the local Administrators group have permissions to report server content and operations. See: https://docs.microsoft.com/en-us/sql/reporting-services/security/grant-user-access-to-a-report-serve...

 

For your issue, I would suggest you create a support ticket to get dedicated help. 

 

Support Ticket.gif

 

Best Regards,
Qiuyun Yu