cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
Highlighted
godwinvarghese Frequent Visitor
Frequent Visitor

User can see all data even if RLS enabled on Power BI Report Server

Hi,

 

I implemented RLS on my power BI report server (January 2019) and it went success.
Implemented the roles and users can access only the data which they are assigned to.

But the problem is, when user edit or download the report to power bi desktop, they can access all the data
in the table even though they are restricted to see only specific data via RLS.

 

The user have just browser permission on the report level.

 

I'm using January 2019 on both server and desktop.

Appreciate your answers.

 

Thanks
GV

5 REPLIES 5
Super User
Super User

Re: User can see all data even if RLS enabled on Power BI Report Server

Actually, I'm thinking that's probably correct but not at all what you intended. Desktop isn't going to know about the roles per say (as in that a user is a member of a particular role). Only the Service or Server know that. I assume what you thought would occur is that when the user downloaded the PBIX that only the data they could see would be there. However, I do not believe that is the case even with the Service actually. I may be mistaken on that.


Did I answer your question? Mark my post as a solution!

Proud to be a Datanaut!


godwinvarghese Frequent Visitor
Frequent Visitor

Re: User can see all data even if RLS enabled on Power BI Report Server

Thanks for your reply, I would like reiterate again on this. What I assume is that RLS is a data “partition” with in a table for each role.
Suppose two users with browser privilege, user1 and user2 from domain 1 and 2 respectively. With the help of RLS we can set user1 to see only domain1 data and domain2 data for user2. All data are in single table here. But if any of the user download the report from pbi server to desktop, they can see all domains data which not i expected. I expect to see only the domain data that users belongs to. Is this a bug or this is the way it designed to be?
Super User
Super User

Re: User can see all data even if RLS enabled on Power BI Report Server

Someone from Microsoft will have to answer definitively on this but I do not think that what you are describing is how RLS works. My understanding is that a User is tied to a Role and a Role is tied to a piece of DAX code. When RLS is enabled, the DAX code pre-filters the data model within the Service or Report Server. Outside of that model, if you allow users to download PBIX files, then it's just data.


Did I answer your question? Mark my post as a solution!

Proud to be a Datanaut!


d_gosbell Member
Member

Re: User can see all data even if RLS enabled on Power BI Report Server

I'm not from MS, but I've been working with the tabular engine since it was first released. Greg's answer is 100% correct. The RLS filters are an extra DAX filter that is applied at query time. The underlying data is not physically partitioned, the PBIX file contains all the data for all the roles.

 

So the key take away here is that if you have enabled RLS in a Power BI file you should not enable end users that are not allowed to see all the data to download the pbix file.

godwinvarghese Frequent Visitor
Frequent Visitor

Re: User can see all data even if RLS enabled on Power BI Report Server

do we have any feature/ Process to disable the download option for the end users from downloading the data from power BI server?