Skip to main content
cancel
Showing results for 
Search instead for 
Did you mean: 

Earn the coveted Fabric Analytics Engineer certification. 100% off your exam for a limited time only!

0

BUG: Downgrading Permissions on Workspace

When I have a user that is assigned the permission "member" on a workspace, once I downgrade the workspace permissions to "viewer", the user still can access the report like a member, which disables all row-level security that is inplace. I tested this for multiple users and multiple workspaces. Also the user is not in agroup with different permission settings. Only solution so far is to open a new workspace and give them the "viewer" role initially. 

 

Would really appreciate a Bugfix regarding this topic.

Status: Delivered

Hi @VAMI 

Usually, after a user's role is changed from member to viewer, they are not able to enjoy the same privileges as before. After you make sure your role change is successful, you can have the corresponding user clear their browser cache and log back in to test.

 

Best Regards,
Community Support Team _ Ailsa Tao

Comments
v-yetao1-msft
Community Support
Status changed to: Delivered

Hi @VAMI 

Usually, after a user's role is changed from member to viewer, they are not able to enjoy the same privileges as before. After you make sure your role change is successful, you can have the corresponding user clear their browser cache and log back in to test.

 

Best Regards,
Community Support Team _ Ailsa Tao

VAMI
Regular Visitor

Hi @v-yetao1-msft

 

I have done everything as described, but once I test the users role (Viewer and RLS) via the view as function on Power BI Service, I see the report as if the user would be a member of the workspace. Initially I thought there would be a timing delay, but even after a weekend the downgraded user can still see the report as if he would be a member of the workspace.

 

All the best

Valentin

MiDu
New Member

Is there any update on this topic?

 

I have a similar experience when a user had the member privileges in first place. After setting back to Viewer role the user can still see all entries (although RLS is active for this user).

It seems that the user has still member rights in the background.

 

@v-yetao1-msftcan you advise on what to do?

Thanks for your help.

VAMI
Regular Visitor

Hi @MiDu

 

Unfortunately there is no update on the topic from my side yet. In some cases the problem resolves itself with a significant time delay of about a week, but in some cases the member status seems still active in the backgroud, even after a significant amount of time has passed. 

mike_honey
Memorable Member

Just bumped into this issue, confirmed the affected users were inadvertently added as Members. Deleting their permissions and recreating them as Viewers does not resolve it.
Deployed the report into a separate workspace and added them as Viewers - "Test as role" shows secured data access as expected.
Super frustrating - this major security loophole allowing unauthorised access into a Microsoft product has been ignored for months.

Only options to resolve seem to be:
1. delete the entire workspace and start again
2. move affected users to a parallel workspace. No systematic way to know who they are, so this one is not very viable.  

VAMI
Regular Visitor

Hi @mike_honey 

I have not checked on this issue again lately, but im kind of bummed, that the issue seemingly is still unsolved by #microsoft. 

It seems that downgrading workspace permissions is still not an option if you want to make sure no security loopholes are created. As described the only current solution includes a new workspace. Could be even more frustrating if the affected workspace runs on a premium or fabric capacity.

mike_honey
Memorable Member

If anyone from Microsoft is tuning in, I've raised a support Case 2312210030000070 for this issue.

My project team agreed to delete the workspace and start again, which avoided this issue - for now.

Highlights the importance of maintaining a user list outside of Power BI, as the web UI doesn't offer any easy way to extract that info.

mike_honey
Memorable Member

Had a call with a Microsoft support engineer just now, where we tried to repro the issue. However the user's access was correctly restricted, so we couldn't repro. A bit frustrating. Must be something specific in the sequence of events that triggers this bug.