cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
therealomacoder
Helper I
Helper I

Row Level Security Changed? Implementation in Workspace vs App Workspace

Hi gurus- when we deployed row level security a year ago, I could only get it to apply to the end users when they accessed content via published apps.

If the users went to the reports directly in the workspace, the row level security didn't apply.

 

It seems that maybe has now changed and that row level security is applied in both published apps and content directly in the workspace itself?

 

Can someone confirm this?

1 ACCEPTED SOLUTION
Burningsuit
Solution Sage
Solution Sage

Hi @therealomacoder 

In a workspace, Row Level Security (RLS) is only applied to users with the "Viewer" role. Other workspace members with the "admin", "member" or "contributor" role are not subject to RLS and see the whole data. Anyone consuming reports through an App are subject to RLS. This has been the case since June 2019.

Hope this helps

Stuart

 

View solution in original post

6 REPLIES 6
therealomacoder
Helper I
Helper I

This functionality doesn't always work as expected in all scenarios.

See the idea here that would make this work with shared data sets:
Microsoft Idea  · RLS behaves differently when report and dataset is in different workspaces. (power...

v-caitlyn-mstf
Community Support
Community Support

Hi @therealomacoder ,

 

Agree with @Burningsuit ,

 

RLS does not take effect when you assign roles with edit permissions to a user. In New workspace, the contributor role has edit permissions, and after testing, it is still unable to apply RLS.

 

Does the replies above solve your problem? If it has been solved, please mark the correct reply as the standard answer to help the other members find it more quickly.Thank you very much for your kind cooperation!

 

Hope it helps,


Community Support Team _ Caitlyn

If this post helps then please consider Accept it as the solution to help the other members find it more quickly.

@v-caitlyn-mstf @Burningsuit 

Thank you very much for your input on this question that I raised. Your assistance is greatly appreciated!!

I will accept the solution only because the provided solution matches what the documentation says.

However, my issue is still not solved, and the behavior is not working as designed in my scenario. In this case, Microsoft has escelated my issue to the product team to try and figure out why RLS is still being applied on a user when, per the documentation, it shouldn't be.

Burningsuit
Solution Sage
Solution Sage

Hi @therealomacoder 

In a workspace, Row Level Security (RLS) is only applied to users with the "Viewer" role. Other workspace members with the "admin", "member" or "contributor" role are not subject to RLS and see the whole data. Anyone consuming reports through an App are subject to RLS. This has been the case since June 2019.

Hope this helps

Stuart

 

View solution in original post

@Burningsuit I had to unmark your answer as the solution. Based upon that information you provided, I submitted a defect to Microsoft Support as that is not the behavior we were seeing.

This was their response:


"We would like to inform you that the RLS works on the dataset so even if you have given contributor role to users for a workspace, it will be override and RLS will be implemented.

Thanks & Regards, 

Ravi Kumar| Support Engineer | Microsoft Business Intelligence"

 

Therefore it would seem, RLS has changed within the past year.

Hi @therealomacoder 

Thanks for this, it's very interesting as the Support Engineer seems to contradict the documentation (dated 13 April 2021 here Row-level security (RLS) with Power BI - Power BI | Microsoft Docs)

which says...

 

"If you publish your Power BI Desktop report to a new workspace experience in the Power BI service, the RLS roles are applied to members who are assigned to the Viewer role in the workspace. Even if Viewers are given Build permissions to the dataset, RLS still applies. For example, if Viewers with Build permissions use Analyze in Excel, their view of the data will be protected by RLS. Workspace members assigned AdminMember, or Contributor have edit permission for the dataset and, therefore, RLS doesn’t apply to them. If you want RLS to apply to people in a workspace, you can only assign them the Viewer role. Read more about roles in the new workspaces."

 

It's clear he must be talking about the New Workspaces as the "Contributor" role did not exist in the "classic" workspaces. (They only had "members")

 

Intrigued with this I ran a little test.

1) Created a new Workspace "RLSTEST"

2) Published a dataset with RSL security in it to RLSTEST

3) Assigned RLS roles to users A B and C.

4) Assigned Workspace access as follows .. A is "Member" , B is "Contributor", C is "Viewer".

5) Viewed Report in Workspace RLS as A - No RLS applied

6) Viewed Report in Workspace RSL as B - No RLS applied (This contradicts your Engineer above)

7) Viewed Report in Workspace RLS as C - RLS applied

OK, so much for Workspace access, what about an App ?

1) Created an App from Workspace RLS, shared with A, B and C

2) Viewed App as A - No RLS applied

3) Viewed App as B - No RLS applied (Again this contradicts your Engineer)

4) Viewed App as C - RLS applied

As I understand it this is because of the access A and B have to the Workspace and the "Build" rights they have there. The Workspace access and "Build" rights override RLS.

This can be proved by Removing A B and C from the Workspace.

Then they can only see the App, Viewing the App gives the following result.

A gets RLS

B gets RLS

C gets RLS

I believe this is because they no longer have "Build" rights on the Dataset in the Workspace (They don't have any access to the Workspace at all), hence RLS is applied.

 

I freely admin that I am always learning with Power BI, and I'd really like to know if your experience is the same as mine, or what you're doing differently. I'd also like to know what your Support Engineer has to say in this instance. Maybe I'm doing it wrong and have misunderstood ?

 

Stuart

 

 

Helpful resources

Announcements
UG GA Amplification 768x460.png

Launching new user group features

Learn how to create your own user groups today!

November Power BI Update 768x460.png

Check it Out!

Click here to read more about the November 2021 Updates!

M365 768x460.jpg

Microsoft 365 Collaboration Conference | December 7–9, 2021

Join us, in-person, December 7–9 in Las Vegas, for the largest gathering of the Microsoft community in the world.

Top Kudoed Authors