Excel Reports Security Model
Anyone with the ability to modify PPM report types and to add a file in the Excel templates directory can create a new Excel report.
The report type is used to control which PPM users can run the report. However, no security check is performed when the report is run. That means that if a PPM user does not have access to a specific project in PPM but that a report retrieve data from this project (either through a Dashboard Datasource or a direct SQL), the PPM user will be able to view this project’s data in the report as long as the user can execute or view the report.
Note: Because scripting is allowed in the Excel template and scripting enables users to run arbitrary code on the PPM Server, only trusted users can have authority to modify the Excel templates stored on the PPM Server. Excel templates on PPM Server should be treated with the same level of caution as JSP files.