Situation: I have PBI workspaces of new generation and a report with configured RLS. The report is distributed to several stakeholders, e.g. marketing and director; there is a common "entry page" with buttons which then direct to specific sections of the report. When a user of role "marketing manager" clicks on marketing, he can access those specific pages, but if he clicks on director he is redirected to a "permission denied"-page. Testing on role level ("view as marketing manager") is working. Problems arise on a user level, in the following I describe the tested scenarios.
Workspace A: - A user has no workspace rights or roles. When he accesses the report via Embedded, he gets an access error as expected.
- I assign the user to workspace viewers and to RLS role, RLS is enforced & everything is working as intended.
- Several users already have been assigned contributor/member rights - but as I understand, RLS is only enforced for viewers.
- So I demoted those users to WS viewers (or deleted them from WS); but instead of getting the redirect or an access error, RLS seems to continue not being enforced. My suspicion: once a user obtained workspace rights higher than viewer, RLS no longer works for him regardless of future permission change.
Workspace B: Here, users are not added to the workspace directly, but through AAD security groups (tested users are guest users in this tenant). Some user has contributor rights and the "marketing manager" role. Because of his WS rights, I would expect that RLS is not enforced, however it does. For a different user, who is contributor and additionally member, RLS does not apply - this does not make any sense to me...
Am I missing some configuration here or is someone able to replicate these scenarios/encountered them before? As quick fix for A) I could ofc. delete the WS and set up a new one. But once we are productive if permissions change, thats kind of a hassle as I also would have to touch the following embedded implementation. Any suggestions are kindly appreciated 🙂
PS: This is my first community post, hope I chose the correct topic/section.