I am running an instance of Power Bi Report server on a server here with the following versions.
Report server - Version1.4.7024.16477(January 2019)
Sql Server 2017
I have found a scenario where if i remove a user's System Adminstrator access, they are still able to access the "Site Settings" section oif the portal, and from there, can see all the sections, General, Branding Schedules and Security sections. Most of the pages take steps to secure itself against this, for example even though the user can see Branding, it protects itself against the users by hiding all the buttons.
For the Security section how ever, these users are able to access the page, and interact with it as if they had the System Adminstrator role.
I have checked the Reporting Database for the dbo.UserRolePolicies table and it reflects what is shown through the UI, so the non-admin users in the Portal also do not show as an Admin in the database.
Is there some system config issues i am missing or is the a bug with security in the portal itself?