cancel
Showing results for 
Search instead for 
Did you mean: 

RLS may be behaving in an unexpected way

TL DR: If there is a role that specifically excludes a segment of your data, but there are not roles that include this segment than workspace admins (for whom RLS should not impact) would also not be able to see the specifically excluded segment.

---

Long version:
We recently moved all our data to azure and could take advantage of scheduled updates from PowerBI Service. We noticed that some of our data started dissapearing from our reports.

 

After a lot of trial and error we've narrowed it down to the RLS behaving in a way that we feel it was not designed to behave.

 

Here's the scenario:

 

Our data has many regions, Most executive level users should see data from all regions except two. Only the admin team should see data from all regions (admin team being the admin in the workspace hosting our dataset) 

 

Since RLS does not apply to workspace admin we created a role called "Unrestricted Access" where NOT([REGION] in {"XYZ1","XYZ2"}), The way it should work is that the workspace admin team should see see XYZ1 and XYZ2 irrespective of the RLS since RLS is not supposed to impact us.

But we noticed that all data from XYZ2 would randomly stop displaying on our reports. This also did not occur regularly but appeared to happen intermitantly. The only connection we found was that our dataset had a role XYZ1 users where [REGION] = "XYZ1" while there was no role that specifically included XYZ2.

 

Once we created a new role for XYZ1 our workspace admin stopped seeing this issue.

 

To replicate issue we created a new fake region called "RLS TEST" and excluded it from our unrestricted access role. We again found that after a scheduled refresh workspace admins intermintently stopped seeing the dummy test data.

 

This makes us conclude that RLS is behaving in a way it is not designed to.

Status: New
Comments
Community Support

hi  @sunil-al

There is a similar issue had been submitted, ICM: 209123356, will update here once I get any solution.

You could also create a support ticket for assistance.

 

Regards,

Lin

Advocate I

I have also encountered a very similar issue impacting workspace admins and members where by every now and then after a refresh despite have edit rights to the dataset ( so documented behaviour says they should not have any restirctions from RLS applied ) they lose access to some of the data as if they are being forced through an RLS role. As above this is intermittent or at least appears to be. 

 

After further testing this only impacts workspace admins or members who are also in AAD groups used by RLS security. If the member or admin is removed from the AAD group used by the RLS role security in the service then the intermittent issue no longer impacts them so at least we have a work around for this.

 

This is still not expected behaviour though so i would be interested in when a fix may be released for this.