Skip to main content
cancel
Showing results for 
Search instead for 
Did you mean: 

Find everything you need to get certified on Fabric—skills challenges, live sessions, exam prep, role guidance, and more. Get started

Reply
markp35
Frequent Visitor

Row-Level Security and Shared Link

One of our users (workspace admin) has stumbled across a strange problem, and I'm not sure what to tell him to put his mind at ease.

 

He has created multiple datasets and reports in one workspace, and implemented RLS on the datasets. Prior to implemeting the RLS he created a link to share access to a single dataset to users in our organization.

 

Once RLS was implemented, some users were not having their RLS settings applied so could see all data, while other had their RLS settings applied correctly. The admin also stated that the users who didn't have RLS applied to them could also access other datasets in the same workspace, even though these weren't shared via link.

 

Also, when testing the RLS access as the different users, those where RLS didn't work showed the actual users name in the Now viewing as section, but the workspace admins name and a message saying they had full visibility on the right of the screen:

 

markp35_0-1681822273723.png

My thought is that the user had previously used the link to access the dataset (not sure of the link permissions) and this link was giving the user the same access as the workspace admin, so RLS was not being applied. Once the sharing link was removed, the admin confirmed that the expected data was then being shown to the user. Unfortunately I didn't get to check the permissions used to share the dataset before these were deleted, but I presume they had both read and build permissions.

 

Why would the users be able to access other datasets within the same workspace? I checked and none of the RLS users have  access to the workspace, either directly or through a group. Could the user somehow have gained the same access level to the workspace just by the workspace admin sharing a link?

 

Any help would be appreciated.

2 REPLIES 2
lbendlin
Super User
Super User

Tell them that RLS will not applied for anyone who has workspace access above viewer role. This is by design.

Hi lbendlin, thanks for the response. Unfortunately none of the users had a defined workspace access level, whether as viewer or not, only the access to one specific dataset through a shared link.

 

I can understand why the RLS was not being applied to any users who had already accessed the link to the dataset, as this would give them full access to that dataset and override the RLS being applied. However, I can't understand why the workspace admin believes these users (without defined permissions on the workspace) could also see other datasets in the same workspace that hadn't been shared.

 

Unfortunately we're unable to do any further testing as the shared links to the dataset have been removed and the RLS and access to other datasets is now working as expected. It would have been good to understand what was happening, but I guess we will now not find the root cause of this issue.

Helpful resources

Announcements
July 2024 Power BI Update

Power BI Monthly Update - July 2024

Check out the July 2024 Power BI update to learn about new features.

PBI_Carousel_NL_June

Fabric Community Update - June 2024

Get the latest Fabric updates from Build 2024, key Skills Challenge voucher deadlines, top blogs, forum posts, and product ideas.