I encountered a scenario in Power BI where Row-Level Security (RLS) can be bypassed due to a combination of referential integrity (RI) violations, allowing unauthorized access to data.
This issue arises in specific RLS setups where:
- The RLS table filters data using ProductID and UPN (email/user).
- The relationship model introduces a bridge table, and security is applied through relationships with Apply security filter in both directions enabled.
- There is incomplete referential integrity (i.e., not all ProductIDs exist in all tables involved).
This model grants access to data the user should not see.
My Observation
If a user has RLS access to any product that is part of the RI violation (i.e., it does not exist in the bridge table or product dimension), Power BI unexpectedly grants access to other products beyond their RLS scope - including products they are not authorized to see.
Repro Steps
1. RLS Table (User Permissions)
| UPN | ProductID |
| alice@example.com | 1001 |
| bob@example.com | 1002 |
| bob@example.com | 1003 |
| charlie@example.com | 1004 |
| charlie@example.com | 1006 |
| diana@example.com | 1005 |
| diana@example.com | 1006 |
| diana@example.com | 1001 |
2. Bridge Table (ProductBridge)
| ProductID |
| 1001 |
| 1002 |
| 1003 |
| 1004 |
3. Product Dimension Table (Products)
| CategoryID | CategoryName | BrandID | BrandName | ProductID | ProductName | ProductColor |
| 1 | Electronics | 101 | Sony | 1001 | Headphones | Black |
| 2 | Appliances | 102 | Samsung | 1002 | Microwave | Silver |
| 3 | Furniture | 103 | IKEA | 1003 | Table | Brown |
| 4 | Clothing | 104 | Zara | 1004 | Jeans | Blue |
| 5 | Sports | 105 | Nike | 1005 | Soccer Ball | White |
| 6 | Toys | 106 | Lego | 1006 | Brick Set | Multicolor |
| 7 | Books | 107 | Penguin | 1007 | Notebook | Yellow |
4. Model Setup (see attached diagram):
RLS → ProductBridge (many-to-one, both directions, security filter ON)
ProductBridge → Products (one-to-many, single directions)
5. Tested Role Logic:
RLS Role: RLS[UPN] = USERPRINCIPALNAME()
Test Case:
User: diana@example.com
Expected access:
Products: 1001 (only one that exists in the bridge table)
Actual access:Products: 1001, 1005, 1006, 1007 (!)
User: charlie@example.com
Expected access:
Products: 1004
Actual access:Products: 1004, 1005, 1006, 1007
It appears that once a user has access to any product not found in the bridge table, the relationship chain breaks in such a way that the entire "missing" portion of the Product table is exposed, ignoring RLS enforcement altogether.
This suggests the RLS filter is not safely handling RI violations — rather than blocking or excluding such records, Power BI seems to allow overly permissive access through broken links.
P.S. I would like to provide a Power BI report file demonstrating the issue, but I haven’t figured out how to do that yet - the platform indicates that .pbix and .zip file types are not supported for upload.
P.P.S. Please don’t suggest resolving this issue by simply fixing the referential integrity violations in the data. I fully understand the importance of maintaining RI to ensure consistent and accurate results. However, this report is not about bad data hygiene — it’s about how RLS behaves when RI is broken, intentionally or unintentionally.
- alisonmoraes on: Usuário PPU Sem acesso
-
mattlee
on:
Small multiples not fitting to scale
- Chandanu14 on: AADSTS50011: Fabric MCP Redirect URI missing from ...
- DanArcher on: Unknown Error on Close & Apply
-
vgeldbr
on:
Connection Timeout to Azure Analysis Services (AAS...
- zjd4atcdc on: CMD Prompt Popping Up During Changes
-
mattlee
on:
Problem : Data labels stacked bar chart
-
mattlee
on:
Previously working Mac calender visual now gives m...
-
DataZoe
on:
Subject: Regression – Synchronized axis ranges no ...
- chadmkelly on: Power BI Desktop Refresh Issue