PowerBI Service Account granting duplicate execute permissions on stored procedure almost constantly
-
06-02-2021 - |
Question
I have PowerBi Server (Jan 2019) installed on my server. I can see from the default trace that that the PowerBi Service account NT SERVICE\PowerBIReportServer
is granting execute permissions on a stored procedure ExtendEditSessionLifetime
to the RSExecRole
(within the ReportServer
database):
GRANT EXECUTE ON [dbo].[ExtendEditSessionLifetime] TO RSExecRole
This is happening frequently many times during the hour, most hours (around 50 times an hour) there doesn't seem to a pattern that I can see and I can't find any documentation online about what the stored procedure does. I can't see anything obvious in the PowerBI logfiles or the event viewer either.
What could be causing this (or is it intended behaviour?)
Solution
I have worked out what is happening here. tl/dr - There was a missing batch separator between a stored procedure and the associated GRANT
statement.
If I run:
SELECT *
FROM sys.sql_modules
WHERE definition LIKE '%GRANT EXECUTE ON \[dbo\].\[ExtendEditSessionLifetime\] TO RSExecRole%' ESCAPE '\'
I can see stored procedures that have that grant statement within them.
This returned one record and the definition field begins
CREATE PROC [dbo].[ExtendEditSessionLifetime] @EditSessionID varchar(32)......
If I navigate to this stored procedure in the object tree and right click and script it out, I can see text of the stored procedure:
CREATE PROC [dbo].[ExtendEditSessionLifetime]
-- params
AS
BEGIN
--code
END
GRANT EXECUTE ON [dbo].[ExtendEditSessionLifetime] TO RSExecRole
GO
I wasn't aware of this but it seems that when you create a stored procedure, you can place a GRANT
after the END
and it becomes part of the definition (I thought it had to be part of the BEGIN .... END
construct (when there is one)
Therefore, every time ExtendEditSessionLifetime
is run, it is re-granting permissions to RSExecRole
.