Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Register now to learn Fabric in free live sessions led by the best Microsoft experts. From Apr 16 to May 9, in English and Spanish.

Reply
SorenHElisa
Helper I
Helper I

What are the minimum rights for the caller to access REST API on Power BI Report Server?

‎04-01-2022 01:17 AM

Hi,

 

Our on-prem PBIRS is January 2022. We are aiming to automate some routine processes and the REST API environment seems to have everything we need. We have configured WindowsNegotiate and WindowsNTLM in the ReportServer.config file. 

 

I've tried finding a documentation or some page that explains what the minimum requirements the calling user must have inside the PBIRS environment to be able to use the AP, but so far unable to find anything telling me what I need. Therefore reaching out here. 

 

So my question:

What are the minimum requirements for the calling Windows user to be able to use the REST API?

 

It seems it is allowed when adding the calling user to the Local Administrator group on the server.  But I really don't want to add this user to that group just for this purpose. Is there any other way to achieve the same with less rights?

 

Br,

Sören

Message 1 of 7
1,190 Views
0
1 ACCEPTED SOLUTION
d_gosbell
Super User
Super User
In response to SorenHElisa

‎04-03-2022 11:45 PM
@SorenHElisa wrote:

As the user trying to use the API, I can see all reports. I can even set access rights on report and folder level as the user logged on. 

 

So if you login as the user that is trying to use the API and then paste the following address into the address bar you should get a json response back 

 

https://<report_server>/reports/api/v2.0/PowerBIReports

 

If this works the issue could be with how you are calling curl, not with the API permissions. It could be similar to the issue here https://stackoverflow.com/questions/38353736/ntlm-handshake-rejected-curl 

 

Have you tried with any other tools like Postman or using Invoke-RestMethod from Powershell

View solution in original post

Message 6 of 7
1,085 Views
0
6 REPLIES 6
SorenHElisa
Helper I
Helper I

‎04-03-2022 10:23 PM

Hi, 

I should have mentioned that I'm trying the REST API accessible via:

https://<report server>/reports/api/v2.0/<function name>

 

"If the user has Browser rights they will be able to list reports." This is not true - at least in our environment. Even if I put the user as System user / System administrator via PBIRS' Site Settings, and call the function

https://<server>/reports/api/v2.0/PowerBIReports

(without any Report ID, to list all the reports available) the user gets a 401 response. 

 

It seems like the role of the user inside Power BI Report Server is not affecting the API calls. The user need some kind of rights on OS level before the functions can be called. 

 

So, please, what minimum OS level role or rights do I need in order to be able to access the API?

 

Br,

S.

Message 3 of 7
1,099 Views
0
d_gosbell
Super User
Super User
In response to SorenHElisa

‎04-03-2022 10:45 PM
@SorenHElisa wrote:

Even if I put the user as System user / System administrator via PBIRS' Site Settings,

Site settings is not where you assign the permissions to view reports. Adding a user as a System User or even System Administrator will not give them access to any reports. You need to click on the "Manage Folder" option and add the user there and assign the Browser role.

 

If you login to the portal as the user you are trying to call the REST API with can you see any reports? As I've already said, If you cannot see any reports in the browser you will not see any reports via the API.

 

@SorenHElisa wrote:

 

So, please, what minimum OS level role or rights do I need in order to be able to access the API?

The OS roles/rights are irrelevant to Report Server it uses the permissions assigned in the portal. 

Message 4 of 7
1,096 Views
0
SorenHElisa
Helper I
Helper I
In response to d_gosbell

‎04-03-2022 11:07 PM

The user accessing API: 

- sees all the reports

- do not have any rights on OS level

 

As the user trying to use the API, I can see all reports. I can even set access rights on report and folder level as the user logged on. 

 

When running 

curl -i https://<report_server>/reports/api/v2.0/PowerBIReports -v --ntlm -u "<username>:<password>"

 

I get the repsponse 

 

* Mark bundle as not supporting multiuse
< HTTP/1.1 401 Unauthorized
HTTP/1.1 401 Unauthorized
< Content-Length: 0
Content-Length: 0
< Server: Microsoft-HTTPAPI/2.0
Server: Microsoft-HTTPAPI/2.0
< WWW-Authenticate: Negotiate
WWW-Authenticate: Negotiate
* NTLM handshake rejected
* Authentication problem. Ignoring this.
< WWW-Authenticate: NTLM
WWW-Authenticate: NTLM
< Date: Mon, 04 Apr 2022 05:58:31 GMT
Date: Mon, 04 Apr 2022 05:58:31 GMT

 

When running the same API call, but with user having both Site Admin rights in the Power BI Server AND Administrator rights on OS, I get a list of reports in JSON format. 

 

When running the API call with user being Administrator on OS level but has no rights (at least I tried removing all rights for the particular user) in the PBIRS portal, the API call works. 

 

So, what are the minimum OS rights the user need without having to be Administrator on OS. 

 

Are we talking about the same things here? I start wondering if our discussions are not matching somehow..?

 

Message 5 of 7
1,095 Views
0
d_gosbell
Super User
Super User
In response to SorenHElisa

‎04-03-2022 11:45 PM
@SorenHElisa wrote:

As the user trying to use the API, I can see all reports. I can even set access rights on report and folder level as the user logged on. 

 

So if you login as the user that is trying to use the API and then paste the following address into the address bar you should get a json response back 

 

https://<report_server>/reports/api/v2.0/PowerBIReports

 

If this works the issue could be with how you are calling curl, not with the API permissions. It could be similar to the issue here https://stackoverflow.com/questions/38353736/ntlm-handshake-rejected-curl 

 

Have you tried with any other tools like Postman or using Invoke-RestMethod from Powershell

Message 6 of 7
1,086 Views
0
SorenHElisa
Helper I
Helper I
In response to d_gosbell

‎04-03-2022 11:55 PM

The --anyauth was the missing link! 

 

Thank you so much for pointing this out. Since everything pointing to NTLM authentication, I did not understand that the call needed something else. 

 

Case solved!

 

Have a wonderful day,

Sören

Message 7 of 7
1,083 Views
0
d_gosbell
Super User
Super User

‎04-01-2022 09:42 PM

It depends on what specific API you are calling. The rights are controlled by the permissions set in Report Server you do not need to add the user to the server admin role. 

 

If the user has Browser rights they will be able to list reports. If you want to alter reports or data sources you would probably need contribute rights. If you want to change subscriptions or permissions you would probably need Content Manager rights. Basically if a user can perform an action through the UI they can also do it with the REST API.

Message 2 of 7
1,142 Views
0

Helpful resources

Announcements
Microsoft Fabric Learn Together

Microsoft Fabric Learn Together

Covering the world! 9:00-10:30 AM Sydney, 4:00-5:30 PM CET (Paris/Berlin), 7:00-8:30 PM Mexico City

PBI_APRIL_CAROUSEL1

Power BI Monthly Update - April 2024

Check out the April 2024 Power BI update to learn about new features.

April Fabric Community Update

Fabric Community Update - April 2024

Find out what's new and trending in the Fabric Community.

View All