One of our users (workspace admin) has stumbled across a strange problem, and I'm not sure what to tell him to put his mind at ease.

He has created multiple datasets and reports in one workspace, and implemented RLS on the datasets. Prior to implemeting the RLS he created a link to share access to a single dataset to users in our organization.

Once RLS was implemented, some users were not having their RLS settings applied so could see all data, while other had their RLS settings applied correctly. The admin also stated that the users who didn't have RLS applied to them could also access other datasets in the same workspace, even though these weren't shared via link.

Also, when testing the RLS access as the different users, those where RLS didn't work showed the actual users name in the Now viewing as section, but the workspace admins name and a message saying they had full visibility on the right of the screen:

My thought is that the user had previously used the link to access the dataset (not sure of the link permissions) and this link was giving the user the same access as the workspace admin, so RLS was not being applied. Once the sharing link was removed, the admin confirmed that the expected data was then being shown to the user. Unfortunately I didn't get to check the permissions used to share the dataset before these were deleted, but I presume they had both read and build permissions.

Why would the users be able to access other datasets within the same workspace? I checked and none of the RLS users have  access to the workspace, either directly or through a group. Could the user somehow have gained the same access level to the workspace just by the workspace admin sharing a link?

Any help would be appreciated.