Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Get Fabric Certified for FREE during Fabric Data Days. Don't miss your chance! Request now

0
VAMI

BUG: Downgrading Permissions on Workspace

Submitted by Advocate I on ‎05-12-2023 05:12 AM

When I have a user that is assigned the permission "member" on a workspace, once I downgrade the workspace permissions to "viewer", the user still can access the report like a member, which disables all row-level security that is inplace. I tested this for multiple users and multiple workspaces. Also the user is not in agroup with different permission settings. Only solution so far is to open a new workspace and give them the "viewer" role initially. 

 

Would really appreciate a Bugfix regarding this topic.

Status: Delivered
See more ideas labeled with:
8 Comments (8 New)
Comments
Anonymous
Not applicable
‎05-15-2023 02:24 AM

Hi @VAMI 

Usually, after a user's role is changed from member to viewer, they are not able to enjoy the same privileges as before. After you make sure your role change is successful, you can have the corresponding user clear their browser cache and log back in to test.

 

Best Regards,
Community Support Team _ Ailsa Tao

VAMI
Advocate I
Advocate I
‎05-16-2023 07:35 AM

Hi @v-yetao1-msft

 

I have done everything as described, but once I test the users role (Viewer and RLS) via the view as function on Power BI Service, I see the report as if the user would be a member of the workspace. Initially I thought there would be a timing delay, but even after a weekend the downgraded user can still see the report as if he would be a member of the workspace.

 

All the best

Valentin

Anonymous
Not applicable
‎05-26-2023 06:03 AM

Is there any update on this topic?

 

I have a similar experience when a user had the member privileges in first place. After setting back to Viewer role the user can still see all entries (although RLS is active for this user).

It seems that the user has still member rights in the background.

 

@Anonymouscan you advise on what to do?

Thanks for your help.

VAMI
Advocate I
Advocate I
‎06-01-2023 12:52 AM

Hi @Anonymous, 

 

Unfortunately there is no update on the topic from my side yet. In some cases the problem resolves itself with a significant time delay of about a week, but in some cases the member status seems still active in the backgroud, even after a significant amount of time has passed. 

mike_honey
Memorable Member
Memorable Member
‎12-20-2023 04:12 PM

Just bumped into this issue, confirmed the affected users were inadvertently added as Members. Deleting their permissions and recreating them as Viewers does not resolve it.
Deployed the report into a separate workspace and added them as Viewers - "Test as role" shows secured data access as expected.
Super frustrating - this major security loophole allowing unauthorised access into a Microsoft product has been ignored for months.

Only options to resolve seem to be:
1. delete the entire workspace and start again
2. move affected users to a parallel workspace. No systematic way to know who they are, so this one is not very viable.  

VAMI
Advocate I
Advocate I
‎12-21-2023 12:13 AM

Hi @mike_honey 

I have not checked on this issue again lately, but im kind of bummed, that the issue seemingly is still unsolved by #microsoft. 

It seems that downgrading workspace permissions is still not an option if you want to make sure no security loopholes are created. As described the only current solution includes a new workspace. Could be even more frustrating if the affected workspace runs on a premium or fabric capacity.

mike_honey
Memorable Member
Memorable Member
‎12-21-2023 07:25 PM

If anyone from Microsoft is tuning in, I've raised a support Case 2312210030000070 for this issue.

My project team agreed to delete the workspace and start again, which avoided this issue - for now.

Highlights the importance of maintaining a user list outside of Power BI, as the web UI doesn't offer any easy way to extract that info.

mike_honey
Memorable Member
Memorable Member
‎12-21-2023 08:46 PM

Had a call with a Microsoft support engineer just now, where we tried to repro the issue. However the user's access was correctly restricted, so we couldn't repro. A bit frustrating. Must be something specific in the sequence of events that triggers this bug.

Idea Statuses