question

PerryProvost-2488 avatar image
0 Votes"
PerryProvost-2488 asked Joyzhao-MSFT commented

SSRS Search Security

Hello,

We have a SSRS 2012 server setup in native mode that uses folder level security. We have domain groups set up so each user within the groups can only see and browse the folders and reports that we want them to see. If I add a dummy domain user account to one of those domain groups, and then login to the SSRS server using it, everything looks and behaves as it should. They can only see their own folder and the reports within them.

The issue that I'm having is that if one of those users does a search for a report, SSRS returns a list of all matching reports and folders in the system, including those that are in folders that the domain group does not have access to, and should not be able to see. Even worse, if they click on one of the found reports, SSRS will let them view it. I would have thought that the SSRS search would only limit the results to those reports and folders that the user has access to.

I thought maybe I could get around it by modifying the Browser role to hide the search box, but there doesn't seem to be a way to do that either.

Does anyone have any suggestions how to limit what the search returns, or how to disable the search box? Is this just a limitation in SSRS 2012?

Thanks!

sql-server-reporting-services
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Joyzhao-MSFT avatar image
0 Votes"
Joyzhao-MSFT answered

Hi @PerryProvost-2488 ,
Sorry I don't understand what you mean. Do you mean that dummy domain users ignore the role permissions you assign?
I am not very clear about the concept of dummy domain users. I guess whether the role configuration is only for domain users and domain groups. Is everything normal to configure roles for dimain users?
In addition, the disabling of the search box you mentioned, I think it is impossible to achieve.
If I misunderstood what you mean,please feel free to correct me.
Best Regards,
Joy


If the answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

PerryProvost-2488 avatar image
0 Votes"
PerryProvost-2488 answered Joyzhao-MSFT commented

Hi Joy,

All I meant by the dummy domain account was that I created a temporary domain account for testing, and added it to the same domain group that the actual end users are in. That way, I could login to SSRS under that account and have the same rights and see what the actual end users were seeing.

Let's say I create two folders in SSRS off of the root folder. One folder is called Helpdesk Reports and the other called Finance Reports. In Active Directory, we have two domain groups. One is called Helpdesk Team and the other is called Finance Team. Then, in SSRS, I grant the Help Desk Team access to the HelpDesk Reports folder and the Finance Team access to the Finance Reports folder. Each group only sees their permitted folder and any reports within them. They cannot see folders or reports from the other group.

Now, lets say that someone from the HelpDesk Team does a search for a report using the Search box. What one would expect is that the search results would show any matching reports that exist within the HelpDesk Reports folder.


However, what is happening is that in the search results, it is also showing reports that exist in the Finance Reports folder. In addition, if the HelpDesk Team then clicks on one of those found Finance Reports, it will run and show results. SSRS shouldn't allow that.

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @PerryProvost-2488 ,
I am wondering whether there is a parent folder in these two folders. Because the folder has the characteristic of security inheritance, that is, the subfolder inherits the security of the parent folder. If so, try to cancel the security inheritance. If the user's role does not allow access to an item, then he cannot see the item.
For more information,please refer to: Role Assignments, Secure Folders
Regards,
Joy


0 Votes 0 ·

Hi Joy, No, there is no parent folder above them. They are both directly off the main SSRS folder. In each folder I cancel the security inheritance of the other group.

0 Votes 0 ·

Since we cannot view the server environment in the forum, we recommend that you choose Microsoft telephone support service (this support service requires you to pay some fees), which can usually solve your problem.
https://support.microsoft.com/en-us/help/4051701/global-customer-service-phone-numbers ;
https://support.microsoft.com/en-us/supportforbusiness/productselection

0 Votes 0 ·