cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
SorenHElisa
Frequent Visitor

What are the minimum rights for the caller to access REST API on Power BI Report Server?

Hi,

 

Our on-prem PBIRS is January 2022. We are aiming to automate some routine processes and the REST API environment seems to have everything we need. We have configured WindowsNegotiate and WindowsNTLM in the ReportServer.config file. 

 

I've tried finding a documentation or some page that explains what the minimum requirements the calling user must have inside the PBIRS environment to be able to use the AP, but so far unable to find anything telling me what I need. Therefore reaching out here. 

 

So my question:

What are the minimum requirements for the calling Windows user to be able to use the REST API?

 

It seems it is allowed when adding the calling user to the Local Administrator group on the server.  But I really don't want to add this user to that group just for this purpose. Is there any other way to achieve the same with less rights?

 

Br,

Sören

1 ACCEPTED SOLUTION


@SorenHElisa wrote:

As the user trying to use the API, I can see all reports. I can even set access rights on report and folder level as the user logged on. 

 


So if you login as the user that is trying to use the API and then paste the following address into the address bar you should get a json response back 

 

https://<report_server>/reports/api/v2.0/PowerBIReports

 

If this works the issue could be with how you are calling curl, not with the API permissions. It could be similar to the issue here https://stackoverflow.com/questions/38353736/ntlm-handshake-rejected-curl 

 

Have you tried with any other tools like Postman or using Invoke-RestMethod from Powershell

View solution in original post

6 REPLIES 6
SorenHElisa
Frequent Visitor

Hi, 

I should have mentioned that I'm trying the REST API accessible via:

https://<report server>/reports/api/v2.0/<function name>

 

"If the user has Browser rights they will be able to list reports." This is not true - at least in our environment. Even if I put the user as System user / System administrator via PBIRS' Site Settings, and call the function

https://<server>/reports/api/v2.0/PowerBIReports

(without any Report ID, to list all the reports available) the user gets a 401 response. 

 

It seems like the role of the user inside Power BI Report Server is not affecting the API calls. The user need some kind of rights on OS level before the functions can be called. 

 

So, please, what minimum OS level role or rights do I need in order to be able to access the API?

 

Br,

S.


@SorenHElisa wrote:

Even if I put the user as System user / System administrator via PBIRS' Site Settings,


Site settings is not where you assign the permissions to view reports. Adding a user as a System User or even System Administrator will not give them access to any reports. You need to click on the "Manage Folder" option and add the user there and assign the Browser role.

 

If you login to the portal as the user you are trying to call the REST API with can you see any reports? As I've already said, If you cannot see any reports in the browser you will not see any reports via the API.

 


@SorenHElisa wrote:

 

So, please, what minimum OS level role or rights do I need in order to be able to access the API?

The OS roles/rights are irrelevant to Report Server it uses the permissions assigned in the portal. 

The user accessing API: 

- sees all the reports

- do not have any rights on OS level

 

As the user trying to use the API, I can see all reports. I can even set access rights on report and folder level as the user logged on. 

 

When running 

curl -i https://<report_server>/reports/api/v2.0/PowerBIReports -v --ntlm -u "<username>:<password>"

 

I get the repsponse 

 

* Mark bundle as not supporting multiuse
< HTTP/1.1 401 Unauthorized
HTTP/1.1 401 Unauthorized
< Content-Length: 0
Content-Length: 0
< Server: Microsoft-HTTPAPI/2.0
Server: Microsoft-HTTPAPI/2.0
< WWW-Authenticate: Negotiate
WWW-Authenticate: Negotiate
* NTLM handshake rejected
* Authentication problem. Ignoring this.
< WWW-Authenticate: NTLM
WWW-Authenticate: NTLM
< Date: Mon, 04 Apr 2022 05:58:31 GMT
Date: Mon, 04 Apr 2022 05:58:31 GMT

 

When running the same API call, but with user having both Site Admin rights in the Power BI Server AND Administrator rights on OS, I get a list of reports in JSON format. 

 

When running the API call with user being Administrator on OS level but has no rights (at least I tried removing all rights for the particular user) in the PBIRS portal, the API call works. 

 

So, what are the minimum OS rights the user need without having to be Administrator on OS. 

 

Are we talking about the same things here? I start wondering if our discussions are not matching somehow..?

 


@SorenHElisa wrote:

As the user trying to use the API, I can see all reports. I can even set access rights on report and folder level as the user logged on. 

 


So if you login as the user that is trying to use the API and then paste the following address into the address bar you should get a json response back 

 

https://<report_server>/reports/api/v2.0/PowerBIReports

 

If this works the issue could be with how you are calling curl, not with the API permissions. It could be similar to the issue here https://stackoverflow.com/questions/38353736/ntlm-handshake-rejected-curl 

 

Have you tried with any other tools like Postman or using Invoke-RestMethod from Powershell

The --anyauth was the missing link! 

 

Thank you so much for pointing this out. Since everything pointing to NTLM authentication, I did not understand that the call needed something else. 

 

Case solved!

 

Have a wonderful day,

Sören

d_gosbell
Super User
Super User

It depends on what specific API you are calling. The rights are controlled by the permissions set in Report Server you do not need to add the user to the server admin role. 

 

If the user has Browser rights they will be able to list reports. If you want to alter reports or data sources you would probably need contribute rights. If you want to change subscriptions or permissions you would probably need Content Manager rights. Basically if a user can perform an action through the UI they can also do it with the REST API.

Helpful resources

Announcements
September Update

Check it Out!

Click here to learn more about the September 2022 updates!

Power BI Show episode 9

The Power BI Community Show

Watch the playback when Priya Sathy and Charles Webb discuss Datamarts! Kelly also shares Power BI Community updates.

Power BI Dev Camp Session 25

Ted's Dev Camp - August 25, 2022

Watch Session 25 of Ted's Dev Camp.