I am using dynamic RLS with USERPRINCIPALNAME() and published the report to a workspace. The report is added to App and users are given acces via App only. About the workspace - The workspace was an existing old workspace which seems to have got automatically created when we created a Sharepoint project site back in past. We decided to use the same workspace couple of days back to publish the report. We did upgrade the workspace to New workspace experience using simple Upgarde link.
I have added user under App > permission and also added user email address under Security RLS role in dataset as required. Since user email address is not currently added in profile file hence as per dynamic RLS, he should not be able to see anything since there will be no matching profile. Everything works as intended when I test using "Test as role" in both Desktop and Power BI Service.
When user logs in for the first time and accesses the App link, he does not see anything as expected. But surprisingly, as soon as he "refreshes" the browser, he starts sees everything! We tried multiple times and observed the same behaviour. I am complete loss as to what is happening and what am I possibly missing? Can someone please guide?
Note1: There are more users having access to correspoding Sharepoint site than those assigned in workspace. Not sure if there is a link. This test user does not have acces to either the Sharepoint site or the Power BI Workspace (not even Viewer). Its not needed if I am not wrong to access the App.
Note2: RLS DAX filter is added to 2 dimension tables and both eventually connect to Fact table in (extended) Star Schema model shown below. There are some bi-directional relationships in which "Allow security filter in both directions" is enabled.
To make it more clear, I need confirm several questions with you.
1 This user isn’t added to your upgraded workspace as a Contributor, Member or Admin, right?
2 You’ve added this user as a member of RLS role but there isn’t any row this user have access to, right?
3 Does this issue on take place in this workspace and this report? If you publish this report to a directly created new workspace, will you get this issue? For other report configured dynamic RLS, will it have the same issue based on the same configuration?
4 Could you please go to Manage permissions of the report’s dataset to check this user’s permission on this dataset?