An admin staff I was working with was concerned that they could access reports that were "private" to only one service provider, while they were logged in somewhere else. So I tested it out and figured out the root issue.

For context though, here's the steps to reproduce:

1. Configure a CUSTOM report to only be visible at one Service Provider. In my screenshot above, the SP I have is "Region of Oz"

2. Grant a user access to ONLY a service provider that is not the one selected above. Give them rights that include Log On, Display Reports, Generate Reports, and View Report Manager (but no other rights in the Report Manager category)

3. Log in as that user. Go to the Report Manager and attempt to locate the report.

4. Report should NOT appear, as expected (this is good)

5. Now, modify the same user account and grant the right to "Get New Reports"

6. Log in as that user. Go to the Report Manager and attempt to locate the report.

7. The report WILL now appear, along with every other report that exists in HIFIS.

I think that the Get New Reports right is probably intended to provide access to HIFIS Reports (not Custom Reports) that have not yet been deployed to the HIFIS instance. But I don't think it's supposed to grant access to Custom Reports that have been uploaded but are attached to other service providers a user doesn't have access to.