Users with Browser Role in SSRS Could EDIT report Security settings!?

  • I am working on some financial DATA reports for Payroll.

    When testing, I found that users with BROWSER role could change the Security setting for the reports that they can access. Even when I created a new Role which only has 'View reports' permission, the user with that role still could edit the security setting.

    More precisely, by edit security setting, I mean the user can Delete any User (including himself); can add user and change user's role!

    Is this a known bug? How to fix this? I want to set up a role that will limit the users can do nothing but view the reports.

    I am using SQL Server 2005 Reporting Service version: Microsoft SQL Server 2005 - 9.00.4035.00 (Intel X86) Nov 24 2008 13:01:59 Copyright (c) 1988-2005 Microsoft Corporation Standard Edition on Windows NT 5.2 (Build 3790: Service Pack 2) .

  • I have not had that happen; I am running multiple installs of SSRS. I'll check it out when I get to work again tomorrow ...

    But I would check no groups are added that the user is part of, adding/removing security belongs to administrators only. Also that someone didn't modify the permission granted to the default roles.

    Mohit.

    [font="Arial"]---

    Mohit K. Gupta, MCITP: Database Administrator (2005), My Blog, Twitter: @SQLCAN[/url].
    Microsoft FTE - SQL Server PFE

    * Some time its the search that counts, not the finding...
    * I didn't think so, but if I was wrong, I was wrong. I'd rather do something, and make a mistake than be frightened and be doing nothing. :smooooth:[/font]

    How to ask for help .. Read Best Practices here[/url].

  • Mohit, You are right.

    I found that the user account I was testing with is part of the LOCAL Admin on the reporting server. Hence, no matter what role I was giving to the account inside the reporting service. It still is able to control the security of any reports.

    I removed the account from the adm group and everything is working as expected.

    Thanks for the helpful suggestion.

    Cheers!

  • *cheers*, even though I have not implemented it. I have read recommendation where removing the Local Admin would be a good idea then not everyone has access to your report server.

    That said I am not 100% sure of the affects; I would think it shouldn't affect it long as you make sure you add your self in before you remove it.

    Thanks.

    Mohit.

    [font="Arial"]---

    Mohit K. Gupta, MCITP: Database Administrator (2005), My Blog, Twitter: @SQLCAN[/url].
    Microsoft FTE - SQL Server PFE

    * Some time its the search that counts, not the finding...
    * I didn't think so, but if I was wrong, I was wrong. I'd rather do something, and make a mistake than be frightened and be doing nothing. :smooooth:[/font]

    How to ask for help .. Read Best Practices here[/url].

Viewing 4 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic. Login to reply