cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
Cosmal Frequent Visitor
Frequent Visitor

Report Server Admin Security issue

I have posted this in the Ideas section as well incase it is a bug, but i want to ask it here as well. If that is no allowed, ill remove this one.

 

I am running an instance of Power Bi Report server on a server here with the following versions.

  • Report server - Version 1.4.7024.16477 (January 2019) 
  • Sql Server 2017

I have found a scenario where if i remove a user's System Adminstrator access, they are still able to access the "Site Settings" section oif the portal, and from there, can see all the sections, General, Branding Schedules and Security sections. Most of the pages take steps to secure itself against this, for example even though the user can see Branding, it protects itself against the users by hiding all the buttons.

Sys User Branding.PNG

For the Security section how ever, these users are able to access the page, and interact with it as if they had the System Adminstrator role.

 

I have checked the Reporting Database for the dbo.UserRolePolicies table and it reflects what is shown through the UI, so the non-admin users in the Portal also do not show as an Admin in the database.

 

Is there some system config issues i am missing or is the a bug with security in the portal itself?

2 REPLIES 2
Super User
Super User

Re: Report Server Admin Security issue

Was the user already logged in when you removed them from the admin group? A lot of the pages in the PBIRS portal are cached. If I had the portal open as a test admin user, then removed that user from the admin role I could still see site settings, but as soon as I refreshed my browser page this option dissappeared (with the May 2019 release). I could get to the General and Branding pages by typing in the URL, but could not make any changes. My hope is that any attempt to save changes should be blocked on the server.

 

As soon as I attempt to directly access the security page with a non-admin using the May 2019 release I get the dialog on the right 

2019-09 pbirs security.png

Cosmal Frequent Visitor
Frequent Visitor

Re: Report Server Admin Security issue

Thanks for the reply. I tried your scenario in the version im running i am able to use the url to navigate to branding and general admin pages. It looks like this was resolved in the may release

Helpful resources

Announcements
New Topics Started Badges Coming

New Topics Started Badges Coming

We're releasing new versions of the badge that everyone's talking about. ;) Check your inbox for notifications.

MBAS 2020

Save the new date (and location)!

Our business applications community is growing—so we needed a different venue, resulting in a new date and location. See you there!

Difinity Conference

Difinity Conference

The largest Power BI, Power Platform, and Data conference in New Zealand

Top Kudoed Authors (Last 30 Days)