There seems to be a bug or miscommunication as it pertains to securing SQL Server Report Models using model item security from SQL Server Management Studio.
There is a fairly sparce Tutorial regarding row-level security on MSDN. Their Tutorial 3 goes over Row Level Security on Report Models. It states "Security filters are always applied, even for users who have Content Manager or Administrator permissions to the model."
This is not true and is a rather confusing. An Administrator is a Windows security permission concept. A Content Manager is a Reporting Services security concept. Yes, the Administrator ID or AD Group from Windows will be evaluated for security when rendering a report on this model. If you have not be provided access specifically, you will be denied access to the report.
This differs from Content Manager. I cannot tell if this is a bug, or by design..but most likely a bug. Here's the kicker. If your user is a Content Manager, they will see all data regardless of SecurityFilter. Since the definition of a Content Manager is one who may manage folders, reports and resources...basically the objects that serve up data I believe this to be a bug.
To see this behavior, follow the tutorial to add security that filters based upon user id. Then add an "All Data" filter, basically a filter with no criteria that will evaluate as true to provide all data regardless of user. In order to lock this down, go to Model Item Security in SSMS and define only 1 user with access to this attribute.
The way securityfilters are handled in SSRS is the UNION of all applied. By partitioning the user rights in SSMS you disallow access to certain users.
However, if your user is a Content Manager they will be able to see everything. Basically the UNION remains in tact for them. I have logged this as a bug on Microsoft Connect with steps to reproduce. We'll see what they say.
