PowerBI Service Account granting duplicate execute permissions on stored procedure almost constantly

Question

I have PowerBi Server (Jan 2019) installed on my server. I can see from the default trace that that the PowerBi Service account NT SERVICE\PowerBIReportServer is granting execute permissions on a stored procedure ExtendEditSessionLifetime to the RSExecRole (within the ReportServer database):

GRANT EXECUTE ON [dbo].[ExtendEditSessionLifetime] TO RSExecRole

This is happening frequently many times during the hour, most hours (around 50 times an hour) there doesn't seem to a pattern that I can see and I can't find any documentation online about what the stored procedure does. I can't see anything obvious in the PowerBI logfiles or the event viewer either.

What could be causing this (or is it intended behaviour?)

Answer 1

I have worked out what is happening here. tl/dr - There was a missing batch separator between a stored procedure and the associated GRANT statement.

If I run:

SELECT * 
FROM sys.sql_modules 
WHERE definition LIKE '%GRANT EXECUTE ON \[dbo\].\[ExtendEditSessionLifetime\] TO RSExecRole%' ESCAPE '\'

I can see stored procedures that have that grant statement within them.

This returned one record and the definition field begins

CREATE PROC [dbo].[ExtendEditSessionLifetime]      @EditSessionID varchar(32)...... 

If I navigate to this stored procedure in the object tree and right click and script it out, I can see text of the stored procedure:

CREATE PROC [dbo].[ExtendEditSessionLifetime]
    -- params
AS
BEGIN
    --code
END
    
GRANT EXECUTE ON [dbo].[ExtendEditSessionLifetime] TO RSExecRole
GO

I wasn't aware of this but it seems that when you create a stored procedure, you can place a GRANT after the END and it becomes part of the definition (I thought it had to be part of the BEGIN .... END construct (when there is one)

Therefore, every time ExtendEditSessionLifetime is run, it is re-granting permissions to RSExecRole.