cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Takasatsu

PowerBI RS security issue: How to avoid direct access to Report Server URL through the web browser ?

Submitted by on ‎07-06-2022 02:51 AM

Hi!

 

We have a serious security issue regarding Power BI Report Server.

We depolyed a power bi report server report URL on a web portal but the URL is easy to catch after inspection on the portal and a user can have access to data of all other customers.

So we would like to avoid direct access to the URL through the web browser and avoid random people over the internet to access the ReportServer.

 

Any thoughts or suggested solutions would be greatly appreciated.

 

Thanks!

Status: Investigating
See more ideas labeled with:
4 Comments (4 New)
Comments
v-xiaoyan-msft
Community Support
Community Support
‎07-07-2022 12:23 AM
Status changed to: Delivered

Hi @Takasatsu ,

 

Not everyone can access it, you have to give permission to do so. Because you don't give permission to other users, so of course they can't see it
You can set permissions to the report as well, so that only those who can see it can access it, and others can't see it, or set permissions on the web side.

 

You could refer to:

https://docs.microsoft.com/en-us/sql/reporting-services/security/role-assignments?view=sql-server-ve... 

https://docs.microsoft.com/en-us/sql/reporting-services/security/grant-user-access-to-a-report-serve... 

 

Best Regards,
Community Support Team _ Caitlyn

 

Takasatsu
Frequent Visitor
‎07-07-2022 03:18 AM

Hi @v-xiaoyan-msft ,

 

I would like to specify that we are using SSO (SAML) authentication mode on Power BI Report Server (to avoid double authentication in the web portal), and with this mode we can not use RLS. What we are doing to manage users access to filtered data is adding filters in the Report Server URL. The problem is that those filters are not hidden and could be modified or deleted from users after catching the Report Server URL.

With this mode the Username of all users who will access to the web portal is displayed "API" also the domain of the report server and the web portal are different.

Takasatsu_0-1657187780932.png

Could you help please with more specifications on how to set permissions in this case?

 

(Data loading mode: Import).

 

Thank you,

With best regards.

 

Takasatsu
Frequent Visitor
‎07-07-2022 08:19 AM

Hi!

 

We have a serious security issue regarding Power BI Report Server.

We depolyed a power bi report server report URL on a web portal but the URL is easy to catch after inspection on the portal and a user can have access to data of all other customers.

So we would like to avoid direct access to the URL through the web browser and avoid random people over the internet to access the ReportServer.

 

  • I would like to specify that we are using SSO (SAML) authentication mode on Power BI Report Server and with this mode we can not use RLS. What we are doing to manage users access to filtered data is adding filters in the Report Server URL. The problem is that those filters are not hidden and could be modified or deleted from users after catching the Report Server URL from the browser console.
  • Data loading mode : import
  • Domains of the report server and the web portal are different.

 

Any thoughts or suggested solutions would be greatly appreciated.

v-xiaoyan-msft
Community Support
Community Support
‎08-02-2022 06:51 PM
Status changed to: Investigating
 
Idea Statuses