SSRS Search Security

Question

Hello,

We have a SSRS 2012 server setup in native mode that uses folder level security. We have domain groups set up so each user within the groups can only see and browse the folders and reports that we want them to see. If I add a dummy domain user account to one of those domain groups, and then login to the SSRS server using it, everything looks and behaves as it should. They can only see their own folder and the reports within them.

The issue that I'm having is that if one of those users does a search for a report, SSRS returns a list of all matching reports and folders in the system, including those that are in folders that the domain group does not have access to, and should not be able to see. Even worse, if they click on one of the found reports, SSRS will let them view it. I would have thought that the SSRS search would only limit the results to those reports and folders that the user has access to.

I thought maybe I could get around it by modifying the Browser role to hide the search box, but there doesn't seem to be a way to do that either.

Does anyone have any suggestions how to limit what the search returns, or how to disable the search box? Is this just a limitation in SSRS 2012?

Thanks!

Answer 1

Hi Joy,

All I meant by the dummy domain account was that I created a temporary domain account for testing, and added it to the same domain group that the actual end users are in. That way, I could login to SSRS under that account and have the same rights and see what the actual end users were seeing.

Let's say I create two folders in SSRS off of the root folder. One folder is called Helpdesk Reports and the other called Finance Reports. In Active Directory, we have two domain groups. One is called Helpdesk Team and the other is called Finance Team. Then, in SSRS, I grant the Help Desk Team access to the HelpDesk Reports folder and the Finance Team access to the Finance Reports folder. Each group only sees their permitted folder and any reports within them. They cannot see folders or reports from the other group.

Now, lets say that someone from the HelpDesk Team does a search for a report using the Search box. What one would expect is that the search results would show any matching reports that exist within the HelpDesk Reports folder.

However, what is happening is that in the search results, it is also showing reports that exist in the Finance Reports folder. In addition, if the HelpDesk Team then clicks on one of those found Finance Reports, it will run and show results. SSRS shouldn't allow that.

Answer 2

Hi @Perry Provost ,
Sorry I don't understand what you mean. Do you mean that dummy domain users ignore the role permissions you assign?
I am not very clear about the concept of dummy domain users. I guess whether the role configuration is only for domain users and domain groups. Is everything normal to configure roles for dimain users?
In addition, the disabling of the search box you mentioned, I think it is impossible to achieve.
If I misunderstood what you mean，please feel free to correct me.
Best Regards,
Joy

---

If the answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.