I encountered a scenario in Power BI where Row-Level Security (RLS) can be bypassed due to a combination of referential integrity (RI) violations, allowing unauthorized access to data.
This issue arises in specific RLS setups where:
- The RLS table filters data using ProductID and UPN (email/user).
- The relationship model introduces a bridge table, and security is applied through relationships with Apply security filter in both directions enabled.
- There is incomplete referential integrity (i.e., not all ProductIDs exist in all tables involved).
This model grants access to data the user should not see.
My Observation
If a user has RLS access to any product that is part of the RI violation (i.e., it does not exist in the bridge table or product dimension), Power BI unexpectedly grants access to other products beyond their RLS scope - including products they are not authorized to see.
Repro Steps
1. RLS Table (User Permissions)
| UPN | ProductID |
| alice@example.com | 1001 |
| bob@example.com | 1002 |
| bob@example.com | 1003 |
| charlie@example.com | 1004 |
| charlie@example.com | 1006 |
| diana@example.com | 1005 |
| diana@example.com | 1006 |
| diana@example.com | 1001 |
2. Bridge Table (ProductBridge)
| ProductID |
| 1001 |
| 1002 |
| 1003 |
| 1004 |
3. Product Dimension Table (Products)
| CategoryID | CategoryName | BrandID | BrandName | ProductID | ProductName | ProductColor |
| 1 | Electronics | 101 | Sony | 1001 | Headphones | Black |
| 2 | Appliances | 102 | Samsung | 1002 | Microwave | Silver |
| 3 | Furniture | 103 | IKEA | 1003 | Table | Brown |
| 4 | Clothing | 104 | Zara | 1004 | Jeans | Blue |
| 5 | Sports | 105 | Nike | 1005 | Soccer Ball | White |
| 6 | Toys | 106 | Lego | 1006 | Brick Set | Multicolor |
| 7 | Books | 107 | Penguin | 1007 | Notebook | Yellow |
4. Model Setup (see attached diagram):
RLS → ProductBridge (many-to-one, both directions, security filter ON)
ProductBridge → Products (one-to-many, single directions)
5. Tested Role Logic:
RLS Role: RLS[UPN] = USERPRINCIPALNAME()
Test Case:
User: diana@example.com
Expected access:
Products: 1001 (only one that exists in the bridge table)
Actual access:Products: 1001, 1005, 1006, 1007 (!)
User: charlie@example.com
Expected access:
Products: 1004
Actual access:Products: 1004, 1005, 1006, 1007
It appears that once a user has access to any product not found in the bridge table, the relationship chain breaks in such a way that the entire "missing" portion of the Product table is exposed, ignoring RLS enforcement altogether.
This suggests the RLS filter is not safely handling RI violations — rather than blocking or excluding such records, Power BI seems to allow overly permissive access through broken links.
P.S. I would like to provide a Power BI report file demonstrating the issue, but I haven’t figured out how to do that yet - the platform indicates that .pbix and .zip file types are not supported for upload.
P.P.S. Please don’t suggest resolving this issue by simply fixing the referential integrity violations in the data. I fully understand the importance of maintaining RI to ensure consistent and accurate results. However, this report is not about bad data hygiene — it’s about how RLS behaves when RI is broken, intentionally or unintentionally.
- allyklee on: Power BI Premium. Unable to import files over 1mb...
- DS1415 on: Uncaught references: ClipboardItem is not defined ...
- DS1415 on: BUG: For PowerBI Embedded, the ClipboardItem is no...
- RedMax on: Continuous axis failed
-
nleuck_101
on:
Button state not changing on hover or press
- GabyMolfino on: Copying Table with Filters is Ignoring Filters
-
smpa01
on:
We couldn't load your datamart
-
mattlee
on:
Turned off Callout Values in Card (New) Visual sti...
- klanob on: Button Slicer Bug - custom border color
-
Idrissshatila
on:
SVG Image URL in Card (New) Visual is not working ...