Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Register now to learn Fabric in free live sessions led by the best Microsoft experts. From Apr 16 to May 9, in English and Spanish.

sunil-al

RLS may be behaving in an unexpected way

Submitted by on ‎10-26-2020 11:30 AM

TL DR: If there is a role that specifically excludes a segment of your data, but there are not roles that include this segment than workspace admins (for whom RLS should not impact) would also not be able to see the specifically excluded segment.

---

Long version:
We recently moved all our data to azure and could take advantage of scheduled updates from PowerBI Service. We noticed that some of our data started dissapearing from our reports.

 

After a lot of trial and error we've narrowed it down to the RLS behaving in a way that we feel it was not designed to behave.

 

Here's the scenario:

 

Our data has many regions, Most executive level users should see data from all regions except two. Only the admin team should see data from all regions (admin team being the admin in the workspace hosting our dataset) 

 

Since RLS does not apply to workspace admin we created a role called "Unrestricted Access" where NOT([REGION] in {"XYZ1","XYZ2"}), The way it should work is that the workspace admin team should see see XYZ1 and XYZ2 irrespective of the RLS since RLS is not supposed to impact us.

But we noticed that all data from XYZ2 would randomly stop displaying on our reports. This also did not occur regularly but appeared to happen intermitantly. The only connection we found was that our dataset had a role XYZ1 users where [REGION] = "XYZ1" while there was no role that specifically included XYZ2.

 

Once we created a new role for XYZ1 our workspace admin stopped seeing this issue.

 

To replicate issue we created a new fake region called "RLS TEST" and excluded it from our unrestricted access role. We again found that after a scheduled refresh workspace admins intermintently stopped seeing the dummy test data.

 

This makes us conclude that RLS is behaving in a way it is not designed to.

Status: New
See more ideas labeled with:
2 Comments (2 New)
Comments
v-lili6-msft
Community Support
Community Support
‎10-26-2020 11:59 PM

hi  @sunil-al

There is a similar issue had been submitted, ICM: 209123356, will update here once I get any solution.

You could also create a support ticket for assistance.

 

Regards,

Lin

jperry_hisol
Advocate I
Advocate I
‎11-05-2020 06:04 AM

I have also encountered a very similar issue impacting workspace admins and members where by every now and then after a refresh despite have edit rights to the dataset ( so documented behaviour says they should not have any restirctions from RLS applied ) they lose access to some of the data as if they are being forced through an RLS role. As above this is intermittent or at least appears to be. 

 

After further testing this only impacts workspace admins or members who are also in AAD groups used by RLS security. If the member or admin is removed from the AAD group used by the RLS role security in the service then the intermittent issue no longer impacts them so at least we have a work around for this.

 

This is still not expected behaviour though so i would be interested in when a fix may be released for this.

 

Idea Statuses