Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Be one of the first to start using Fabric Databases. View on-demand sessions with database experts and the Microsoft product team to learn just how easy it is to get started. Watch now

user01650

Copilot answering data questions outside of Row Level Security protocol

Submitted by on ‎06-11-2024 07:11 PM

I posted this in the community forum and am now reposting it here at the advice of a Super User response. 

 

While testing the "Preview" toggle of Copilot within Power BI Service, I observed that it queries the dataset directly to provide answers, unlike the previous method that relied on page visuals. This raises a potential security issue.

 

During today's test with a user who had Row-Level Security (RLS) applied to two reports, I noticed a concern. The user, who should only access data for a specific customer (say, Customer ABC), and whose report visuals only display data for that customer, was able to retrieve data for Customer XYZ when querying Copilot, even though they should not have access to that information.

 

This issue occurs only when the "Preview" toggle is active. If the toggle is off, and they inquire about Customer XYZ, there is no response. Additionally, I found that Copilot cannot utilize table relationships to identify rows related to Customer XYZ if the report lacks a customer column and instead uses an Account Number or a similar identifier. However, if a user knows the data structure in a report, they can query information they shouldn't access.

 

Is there an ongoing development for a solution, or is there a way to prevent this issue other than disabling Copilot at the Tenant level?

 

Thank you in advance for any assistance you may be able to provide us in this matter, it is greatly appreciated.

Status: Delivered

Hi @user01650 ,

 

Thanks for your feedback! Since it's a preview feature .If you would like to suggest feature improvements, you may vote the idea and comment here to improve it. It is the right place for customers provide feedback about Microsoft Office products . What’s more, if a feedback is high voted there by other customers, it will be promising that Microsoft Product Team will take it into consideration when designing the next version in the future.

 

Best Regards,
Community Support Team _ Caitlyn

See more ideas labeled with:
5 Comments (5 New)
Comments
v-xiaoyan-msft
Community Support
Community Support
‎06-13-2024 02:25 AM
Status changed to: Delivered

Hi @user01650 ,

 

Thanks for your feedback! Since it's a preview feature .If you would like to suggest feature improvements, you may vote the idea and comment here to improve it. It is the right place for customers provide feedback about Microsoft Office products . What’s more, if a feedback is high voted there by other customers, it will be promising that Microsoft Product Team will take it into consideration when designing the next version in the future.

 

Best Regards,
Community Support Team _ Caitlyn

jibran_wani
Regular Visitor
Thursday

Hi @user01650, Could you please confirm if this issue still persists? I'm currently researching about the same issue and there is very little content available on this.

Have you posted about this in Community Issues?
Thank you 

user01650
New Member
Thursday

Hello @jibran_wani, yes it is still an issue.  However, I might be able to shed a little more light.

I opened a support ticket with Microsoft and they had one of their contractors working on their development team trying to figure it out.  He spent almost 2-weeks inspecting my pbix and recreating the problem.  I was told it had something to do with the way I had my table relationships and some of my calculated columns. 

Apparently, using calculated columns to reference other tables (like "related", lookup, and such) can create such a back door.  And, has something to do with how I have table relationships outside of the original master fact table.  I have a table called "Roster" that contains all my RLS as well as department numbers, account numbers, and other identifiers.  However, our Company's data has some flaws so I have no choice but to connect certain tables to each other through a common identifier and then just connect one of them to the Roster.  From what I was told that could create the "back door" effect that I am experiencing. This gives the user access to data they wouldn't normally see in visuals, but since Copilot queries the tables directly, it can access that data.

I was able to fix some of the calculations and relationships to lessen the issue, but could not fix all, otherwise, I lose much much-needed functionality of the report.

Yes, I did originally post in the Community Issues then posted here at the advice of one of the Super Users.

jibran_wani
Regular Visitor
yesterday

Thank you for a thorough explanation @user01650. Just one follow up question - If these relationship issues are contained, then RLS roles with necessary data restrictions will remain intact in Co Pilot as well, right?

user01650
New Member
yesterday

@jibran_wani, yes that is correct. 

Idea Statuses