Skip to main content
cancel
Showing results for 
Search instead for 
Did you mean: 

Earn the coveted Fabric Analytics Engineer certification. 100% off your exam for a limited time only!

Reply
therealomacoder
Helper II
Helper II

Row Level Security Changed? Implementation in Workspace vs App Workspace

Hi gurus- when we deployed row level security a year ago, I could only get it to apply to the end users when they accessed content via published apps.

If the users went to the reports directly in the workspace, the row level security didn't apply.

 

It seems that maybe has now changed and that row level security is applied in both published apps and content directly in the workspace itself?

 

Can someone confirm this?

1 ACCEPTED SOLUTION
Burningsuit
Resident Rockstar
Resident Rockstar

Hi @therealomacoder 

In a workspace, Row Level Security (RLS) is only applied to users with the "Viewer" role. Other workspace members with the "admin", "member" or "contributor" role are not subject to RLS and see the whole data. Anyone consuming reports through an App are subject to RLS. This has been the case since June 2019.

Hope this helps

Stuart

 

View solution in original post

12 REPLIES 12
therealomacoder
Helper II
Helper II

This functionality doesn't always work as expected in all scenarios.

See the idea here that would make this work with shared data sets:
Microsoft Idea  · RLS behaves differently when report and dataset is in different workspaces. (power...

v-xiaoyan-msft
Community Support
Community Support

Hi @therealomacoder ,

 

Agree with @Burningsuit ,

 

RLS does not take effect when you assign roles with edit permissions to a user. In New workspace, the contributor role has edit permissions, and after testing, it is still unable to apply RLS.

 

Does the replies above solve your problem? If it has been solved, please mark the correct reply as the standard answer to help the other members find it more quickly.Thank you very much for your kind cooperation!

 

Hope it helps,


Community Support Team _ Caitlyn

If this post helps then please consider Accept it as the solution to help the other members find it more quickly.

@v-xiaoyan-msft @Burningsuit 

Thank you very much for your input on this question that I raised. Your assistance is greatly appreciated!!

I will accept the solution only because the provided solution matches what the documentation says.

However, my issue is still not solved, and the behavior is not working as designed in my scenario. In this case, Microsoft has escelated my issue to the product team to try and figure out why RLS is still being applied on a user when, per the documentation, it shouldn't be.

Burningsuit
Resident Rockstar
Resident Rockstar

Hi @therealomacoder 

In a workspace, Row Level Security (RLS) is only applied to users with the "Viewer" role. Other workspace members with the "admin", "member" or "contributor" role are not subject to RLS and see the whole data. Anyone consuming reports through an App are subject to RLS. This has been the case since June 2019.

Hope this helps

Stuart

 

@Burningsuit  please what do you mean by " Anyone consuming reports through an App are subject to RLS. This has been the case since June 2019" If we pass through Apps in Power Bi service the RLS will be applied to Contibutors and Members ?

Hi @IkramElmarksi 

To clarify, anyone consuming reports through an App, that are not Admin, Members or Contributors to the App's Workpace, are subject to RLS in that App.

Being an Admin, Member or Contributor to the Workspace will remove RLS, no matter how you consume the content (App, Shared Reports etc. ).

Hope this helps

Stuart

@Burningsuit I had to unmark your answer as the solution. Based upon that information you provided, I submitted a defect to Microsoft Support as that is not the behavior we were seeing.

This was their response:


"We would like to inform you that the RLS works on the dataset so even if you have given contributor role to users for a workspace, it will be override and RLS will be implemented.

Thanks & Regards, 

Ravi Kumar| Support Engineer | Microsoft Business Intelligence"

 

Therefore it would seem, RLS has changed within the past year.

Hi @therealomacoder 

Thanks for this, it's very interesting as the Support Engineer seems to contradict the documentation (dated 13 April 2021 here Row-level security (RLS) with Power BI - Power BI | Microsoft Docs)

which says...

 

"If you publish your Power BI Desktop report to a new workspace experience in the Power BI service, the RLS roles are applied to members who are assigned to the Viewer role in the workspace. Even if Viewers are given Build permissions to the dataset, RLS still applies. For example, if Viewers with Build permissions use Analyze in Excel, their view of the data will be protected by RLS. Workspace members assigned AdminMember, or Contributor have edit permission for the dataset and, therefore, RLS doesn’t apply to them. If you want RLS to apply to people in a workspace, you can only assign them the Viewer role. Read more about roles in the new workspaces."

 

It's clear he must be talking about the New Workspaces as the "Contributor" role did not exist in the "classic" workspaces. (They only had "members")

 

Intrigued with this I ran a little test.

1) Created a new Workspace "RLSTEST"

2) Published a dataset with RSL security in it to RLSTEST

3) Assigned RLS roles to users A B and C.

4) Assigned Workspace access as follows .. A is "Member" , B is "Contributor", C is "Viewer".

5) Viewed Report in Workspace RLS as A - No RLS applied

6) Viewed Report in Workspace RSL as B - No RLS applied (This contradicts your Engineer above)

7) Viewed Report in Workspace RLS as C - RLS applied

OK, so much for Workspace access, what about an App ?

1) Created an App from Workspace RLS, shared with A, B and C

2) Viewed App as A - No RLS applied

3) Viewed App as B - No RLS applied (Again this contradicts your Engineer)

4) Viewed App as C - RLS applied

As I understand it this is because of the access A and B have to the Workspace and the "Build" rights they have there. The Workspace access and "Build" rights override RLS.

This can be proved by Removing A B and C from the Workspace.

Then they can only see the App, Viewing the App gives the following result.

A gets RLS

B gets RLS

C gets RLS

I believe this is because they no longer have "Build" rights on the Dataset in the Workspace (They don't have any access to the Workspace at all), hence RLS is applied.

 

I freely admin that I am always learning with Power BI, and I'd really like to know if your experience is the same as mine, or what you're doing differently. I'd also like to know what your Support Engineer has to say in this instance. Maybe I'm doing it wrong and have misunderstood ?

 

Stuart

 

 

Hi @Burningsuit 

the documentation you referenced does not mention APP access explicity, it only talks about Workspaces. This documentation https://learn.microsoft.com/en-us/power-bi/guidance/rls-guidance does mention APPS and says

When a specific user can see all data, it's possible they're accessing reports directly in the workspace and they're the dataset owner. RLS is only enforced when:

  • The report is opened in an app.
  • The report is opened in a workspace, and the user is mapped to the Viewer role.

But that is NOT the experienced behaviour. RLS for workspaces owners is NOT applied in the APP, as per your testing and my own testing. Is this a bug?

Best Wishes

Andrew Dale

Hi @UOLandrewdale 

It amuses me how this topic lingers on.

No, I don't think it is a bug. The documentation may be at fault for not explicitly explaining every possible scenario, but two minutes experimentation (and some thought) explains what is going on very clearly.

RSL is applied in an App if the App users are not Admin, Members or Contributors in the Workspace the App is built from. 

To me this makes perfect sense. Why apply RLS in an App, when the Admin, Members or Contributors in the Workspace can simply go to the Workspace and see all the data ?

Some basic thought here explains what's going on.

1) Power BI separates Data (Datasets) from Visualisations (Reports)

2) Permissions are applied to a Dataset

3) Building an App from a Workspace copies the Visualisations (Reports) into the App and connects them back to the Data (Datasets) in the Workspace.

3) If an Admin, Member or Contributor can see all data in the Workspace, they can see all data in the App.  Because there is only one location of the Data and Permissions are applied on that Data.

As a footnote to all this, in my nearly 50 years in Computing and IT I have found that when the Documentation contradicts your real-world experience it is nearly always the documentation that is wrong!

Hope this helps

Stuart

 

RE: Why apply RLS in an App, when the Admin, Members or Contributors in the Workspace can simply go to the Workspace and see all the data?

Just because the admin/contributor can switch back to the workspace if they want to see all of the data is not justification for having the RLS of the app behave differently. For the Microsoft's and Facebook's of the world where the roles are clearly defined and separated, that makes perfect sense. But that doesn't fit the small businesses of the world. When the admin/member/contributer is also a consumer, their experience in an app should be the same as everyone else in the app. First example is testing. If RLS worked the same in a deployed app for everyone who has access, then the functionality could be tested by the contributor. Otherwise I find myself asking a non-contributor for their username, password, and 2FA just so I can test that the RLS at the app level is working as expected. In all of my years working at the database level and handling RLS, I don't get to go into the business view and see all data just because I also happen to be a developer.

well detailed scenarios I would love that someone with more experience confirm this?

Thank you

Helpful resources

Announcements
April AMA free

Microsoft Fabric AMA Livestream

Join us Tuesday, April 09, 9:00 – 10:00 AM PST for a live, expert-led Q&A session on all things Microsoft Fabric!

March Fabric Community Update

Fabric Community Update - March 2024

Find out what's new and trending in the Fabric Community.

Top Solution Authors
Top Kudoed Authors