cancel
Showing results for 
Search instead for 
Did you mean: 

Dynamic RLS not working consistently - sometimes Access Denied (RLS), or shows All data

Hi,

I am using dynamic RLS with USERPRINCIPALNAME() and published the report to a workspace. The report is added to App and users are given acces via App only. About the workspace - The workspace was an existing old workspace which seems to have got automatically created when we created a Sharepoint project site back in past. We decided to use the same workspace couple of days back to publish the report. We did upgrade the workspace to New workspace experience using simple Upgarde link.

I have added user under App > permission and also added user email address under Security RLS role in dataset as required. Since user email address is not currently added in profile file hence as per dynamic RLS, he should not be able to see anything since there will be no matching profile. Everything works as intended when I test using "Test as role" in both Desktop and Power BI Service.

 

When user logs in for the first time and accesses the App link, he does not see anything as expected. But surprisingly, as soon as he "refreshes" the browser, he starts sees everything! We tried multiple times and observed the same behaviour. I am complete loss as to what is happening and what am I possibly missing? Can someone please guide?

 

Note1: There are more users having access to correspoding Sharepoint site than those assigned in workspace. Not sure if there is a link. This test user does not have acces to either the Sharepoint site or the Power BI Workspace (not even Viewer). Its not needed if I am not wrong to access the App. 

Note2: RLS DAX filter is added to 2 dimension tables and both eventually connect to Fact table in (extended) Star Schema model shown below. There are some bi-directional relationships in which "Allow security filter in both directions" is enabled.

nirmit27_0-1640281897541.png

 

 

 

Status: Investigating

Hi @nirmit27 

 

To make it more clear, I need confirm several questions with you.

1 This user isn’t added to your upgraded workspace as a Contributor, Member or Admin, right?

2 You’ve added this user as a member of RLS role but there isn’t any row this user have access to, right?

3 Does this issue on take place in this workspace and this report? If you publish this report to a directly created new workspace, will you get this issue? For other report configured dynamic RLS, will it have the same issue based on the same configuration?

4 Could you please go to Manage permissions of the report’s dataset to check this user’s permission on this dataset?

vcazhengmsft_0-1640316409423.png

 

Best Regards,

Community Support Team _ Caiyun

Comments
v-cazheng-msft
Community Support
Status changed to: Investigating

Hi @nirmit27 

 

To make it more clear, I need confirm several questions with you.

1 This user isn’t added to your upgraded workspace as a Contributor, Member or Admin, right?

2 You’ve added this user as a member of RLS role but there isn’t any row this user have access to, right?

3 Does this issue on take place in this workspace and this report? If you publish this report to a directly created new workspace, will you get this issue? For other report configured dynamic RLS, will it have the same issue based on the same configuration?

4 Could you please go to Manage permissions of the report’s dataset to check this user’s permission on this dataset?

vcazhengmsft_0-1640316409423.png

 

Best Regards,

Community Support Team _ Caiyun

nirmit27
Helper II

Hi @v-cazheng-msft 

Please see answers below:

1 This user isn’t added to your upgraded workspace as a Contributor, Member or Admin, right? - Correct, not even a Viewer

2 You’ve added this user as a member of RLS role but there isn’t any row this user have access to, right? - Correct, his email address is not maintained in mapping/user table (for testing No Access scenario. But will need to add later to give access to "all" data)

3 Does this issue on take place in this workspace and this report?  -Yes
If you publish this report to a directly created new workspace, will you get this issue? - Published this report yesterday to another Premium capacity workspace created newly a week back, and tested the results today. It seems to be working fine there. Though I will defer to your advice even in this case if this is the correct expected behaviour > User refreshed the dashboard 5-6 times and every time he is presented with only report layout and no data, as expected (but no warning like Access Denied due to RLS etc.).
However I am little worried as to this workspace report should also not become unstable after I add and remove user back and forth several times frequently from RLS role and/or App permission for end to end Testing. This is a highly senstive report and we cannot afford to release it with any kind of security leakage.

View in new workspace:

nirmit27_0-1640336665654.png

 


For other report configured dynamic RLS, will it have the same issue based on the same configuration? - We don't have any other report in this workspace currently. This is new business requirement

4 Could you please go to Manage permissions of the report’s dataset to check this user’s permission on this dataset? - Please see below. User highlighted in green has App level access only and not workspace level.

nirmit27_3-1640334076210.png

 

Two more observations I would like to share with you:
1. The user is not from this organization but is an employee of an external company. He has two email ids. One of his own, say user@externalcompany.com. And another of this organization's, say user@org.com. Report is published in Organization's worksapce.

I had added user@org.com in both App permission and in RLS role however in Dataset view above, you can see it shows as user@externalcompany.com. So it appears to me that his both email accounts are kind of linked (kind of aliases) within this orgnization directory. He is logging with user@org.com to see the Power BI report. Also USERPRINCIPALNAME() returns user@org.com. He gets no access screen when he tries to login using his external company id. Could this mixup be causing any potential issues? Why not in brand new workspace though?

2. Report view in old workspace is unstable i.e shows nothing or shows all randomly. However I notice one component on the right top in below image today correctly not showing any data every time. Means it appears this is the only component which is working "today" as expected (but yesterday this was not the case!)

View (showing data) in old workspace:

nirmit27_5-1640335175373.png

'See details' link shows this:

 

nirmit27_4-1640334615250.png

Please let me know if more info needed. Thanks for your support.

Nirmit