Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Register now to learn Fabric in free live sessions led by the best Microsoft experts. From Apr 16 to May 9, in English and Spanish.

0
MaxTheAnalyst

Row level security in workspace not enforced after permission change

Submitted by on ‎07-18-2022 07:14 AM

Situation:
I have PBI workspaces of new generation and a report with configured RLS. The report is distributed to several stakeholders, e.g. marketing and director; there is a common "entry page" with buttons which then direct to specific sections of the report. When a user of role "marketing manager" clicks on marketing, he can access those specific pages, but if he clicks on director he is redirected to a "permission denied"-page. Testing on role level ("view as marketing manager") is working. Problems arise on a user level, in the following I describe the tested scenarios.

MaxTheAnalyst_0-1658153030587.png

MaxTheAnalyst_1-1658153253621.png

 

Workspace A:
- A user has no workspace rights or roles. When he accesses the report via Embedded, he gets an access error as expected.

- I assign the user to workspace viewers and to RLS role, RLS is enforced & everything is working as intended.

- Several users already have been assigned contributor/member rights - but as I understand, RLS is only enforced for viewers.

- So I demoted those users to WS viewers (or deleted them from WS); but instead of getting the redirect or an access error, RLS seems to continue not being enforced. My suspicion: once a user obtained workspace rights higher than viewer, RLS no longer works for him regardless of future permission change.

 

Workspace B:
Here, users are not added to the workspace directly, but through AAD security groups (tested users are guest users in this tenant). Some user has contributor rights and the "marketing manager" role. Because of his WS rights, I would expect that RLS is not enforced, however it does. For a different user, who is contributor and additionally member, RLS does not apply - this does not make any sense to me...

Am I missing some configuration here or is someone able to replicate these scenarios/encountered them before?
As quick fix for A) I could ofc. delete the WS and set up a new one. But once we are productive if permissions change, thats kind of a hassle as I also would have to touch the following embedded implementation.
Any suggestions are kindly appreciated 🙂

PS: This is my first community post, hope I chose the correct topic/section.

Status: Delivered

Refresh User Permissions REST API can help refresh user permissions.

Users - Refresh User Permissions - REST API (Power BI Power BI REST APIs) | Microsoft Docs

See more ideas labeled with:
4 Comments (4 New)
Comments
v-cazheng-msft
Community Support
Community Support
‎07-18-2022 08:50 PM
Status changed to: Investigating

Hi @MaxTheAnalyst ,

 

RLS only works for workspace viewers and it doesn’t apply to users with Edit permissions on the workspace content. According to the design, users with Admin, Member and Contributor role in the workspace have Edit permissions. Thus, if you would like a user to be restricted by RLS, this user needs to be a Viewer who only has Read permission to the workspace content like report. For users even don’t have Read permissions to the report, access error will pop to these users.

 

Normally, if you change a user from a role that has Edit permission to a role that has Read permission, RLS will work for this user and only display the data that this user can access. If you degrade the permissions of the user but don’t see the changes take effect, please try these steps.

1 Refresh the browser page later and try again

2 Check repot Manage permissions, see what kinds of roles of these users and permissions there

3 Check whether users are added to the workspace repeatedly with directly add or add with Group

 

After changing the permissions of users, you may use Refresh User Permissions( Users - Refresh User Permissions - REST API (Power BI Power BI REST APIs) | Microsoft Docs ) to ensure they’re fully updated.

 

Best Regards,

Community Support Team _ Caiyun

MaxTheAnalyst
Regular Visitor
‎07-19-2022 07:58 AM

@v-cazheng-msft  Thanks for your reply and suggestions!

I tried 1-3 and it seems that it just takes at least several hours for the granted workspace rights to be revoked. I didn`t expect that as granting higher workspace rights or RLS role changes take effect immediately.

I will remember your API call suggestion, it comes in handy in case I need to speed up rights revocation in the future.

So with that knowledge everything works as intended -thanks for your help, issue solved 🙂

v-cazheng-msft
Community Support
Community Support
‎07-19-2022 06:18 PM

@MaxTheAnalyst,

 

That's great! Thanks for your reply!

 

Best Regards,

Community Support Team _ Caiyun

v-cazheng-msft
Community Support
Community Support
‎07-19-2022 06:20 PM
Status changed to: Delivered

Refresh User Permissions REST API can help refresh user permissions.

Users - Refresh User Permissions - REST API (Power BI Power BI REST APIs) | Microsoft Docs

Idea Statuses