cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
Highlighted
Cosmal Frequent Visitor
Frequent Visitor

Report Server Admin Security issue

I have posted this in the Ideas section as well incase it is a bug, but i want to ask it here as well. If that is no allowed, ill remove this one.

 

I am running an instance of Power Bi Report server on a server here with the following versions.

  • Report server - Version 1.4.7024.16477 (January 2019) 
  • Sql Server 2017

I have found a scenario where if i remove a user's System Adminstrator access, they are still able to access the "Site Settings" section oif the portal, and from there, can see all the sections, General, Branding Schedules and Security sections. Most of the pages take steps to secure itself against this, for example even though the user can see Branding, it protects itself against the users by hiding all the buttons.

Sys User Branding.PNG

For the Security section how ever, these users are able to access the page, and interact with it as if they had the System Adminstrator role.

 

I have checked the Reporting Database for the dbo.UserRolePolicies table and it reflects what is shown through the UI, so the non-admin users in the Portal also do not show as an Admin in the database.

 

Is there some system config issues i am missing or is the a bug with security in the portal itself?

2 REPLIES 2
Super User III
Super User III

Re: Report Server Admin Security issue

Was the user already logged in when you removed them from the admin group? A lot of the pages in the PBIRS portal are cached. If I had the portal open as a test admin user, then removed that user from the admin role I could still see site settings, but as soon as I refreshed my browser page this option dissappeared (with the May 2019 release). I could get to the General and Branding pages by typing in the URL, but could not make any changes. My hope is that any attempt to save changes should be blocked on the server.

 

As soon as I attempt to directly access the security page with a non-admin using the May 2019 release I get the dialog on the right 

2019-09 pbirs security.png

Cosmal Frequent Visitor
Frequent Visitor

Re: Report Server Admin Security issue

Thanks for the reply. I tried your scenario in the version im running i am able to use the url to navigate to branding and general admin pages. It looks like this was resolved in the may release

Helpful resources

Announcements
Meet the 2020 Season 1 Power BI Super Users!

Meet the 2020 Season 1 Power BI Super Users!

It’s the start of a new Super User season! Learn all about the new Super Users and brand-new tiered recognition system.

Super User Challenge: Can You Solve These?

Super User Challenge: Can You Solve These?

We're celebrating the start of the New Super User season with our first ever Super User 'Can You Solve These?' challenge.

Power BI Desktop Update - February 2020

Power BI Desktop Update - February 2020

We are super excited for our update this month, as we are releasing two of our top community requests!

Power Platform Online Conference

Power Platform Online Conference

Join us for the first ever Power Platform Online Conference!

Top Solution Authors