I am having an issue with a report with RLS on the service.
The implementation is very simple using an access rule table with 2 columns [Username] and [Company] governing the Company view in the report. Then the dynamic RLS is implemented with a LOOKUP to that table looking for a matching USERPRINCIPALNAME().
My testing does work as expected in both local and service for all the defined users, but one.
The filter rule does fail for this user only on the service.
It seems like this user were an admin able to override any RLS rule.
But after extensive cheching, it tourned out that this user is not present anywhere I can check.
It's not a member of the report workspace, less than having any edit permissions.
It's not a member of the linked Sharepoint/Teams groups.
It doesn't show anywhere, but it can skip RLS.
Any hint would be GREATLY appreciated.
Hi, @maclura ;
Hi @v-yalanwu-msft ,
we opened a ticket with Microsoft for this issue, and it's still open.
Microsoft has come back a couple of time with questions, but they seem to chew on this access problem a bit.
I will keep you updated on any outcome.
Please check, if you have any "Share"-Links created by the standard PowerBI Sharing Features - you can see this when checking context menu "..." -> "Manage Access" on the Report and Dataset. At least it helpen in my case...
Thank you @alexrobe for your hint.
I checked and I had 2 links for the report and 2 for the dataset. I removed all of them, but nothing changed! This user is still able to ignore any security rule.
One of the suggestions from Microsoft was that this user has never accessed PowerBI before, and that would explain why testing like that user doesn't work, but then we setup security rules for dozen of users who never accessed Power BI before, and none of them was able to override any rule.
Hi, @maclura ;
1.First check if he's a member of the group:
In the Power BI service, you can add a member to the role by typing in the email address or name of the user or security group. You can't add Groups created in Power BI. You can add members external to your organization.
2.You said that your desktop test is also that one person does not take effect, right? If it doesn't work in Service and on desktop, you can delete the data set and re-publish the new workspace to try it out.
3.Check The user is mapped to multiple roles.
Community Support Team_ Yalan Wu
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.
Find out more about the May 2023 update.
Share your Data Story with the Community in the Data Stories Gallery.