Sharepoint online data security

willatkinson · ‎09-18-2024

Hi,

I had a request from a user who tried to share their report with a colleague, but they were unable to view the data in the report.

The source for the report was an excel file held in sharepoint online, so I suggested that their colleague needed to be granted access to the sharepoint file in order to access the report.

I understand that this could cause an issue if the user wanted their report to be viewed but not the source file, but in this incident it wasn't an issue.

However, whilst looking at a report for another user, I noticed that some of the visuals were referencing a source in a sharepoint online location.

Now I could see the data in the visual in the service version and the pbix version of the report, but when I went onto data source settings and copied the link to their sharepoint site, I saw that I did not have access to the site.

Does anyone know how it is possible for someone to view data in a report where they don't have access the source file in sharepoint online?

We were looking into data source credentials in the service version of the report, and were trying to work out if it was to do with the report itself always having the creators sign in credentials added so that anyone they share the report with can view it?

Any help would be greatly appreciated, although not looking for RLS solutions please!

Cheers,

Will

lbendlin · ‎09-18-2024

Don't forget that the connection user scope does not need to match the scope of the report user. In fact, this is one of the min causes for accidental oversharing (exactly the things that RLS is attempting to restrict).

To make matters even more interesting you can be given access to a file in a sharepoint but NOT to the actual sharepoint site. Now that is truly messed up 🙂

View solution in original post

v-denglli-msft · ‎09-26-2024

Hi @willatkinson ,

May I ask if you have gotten this issue resolved?

If it is solved, please mark the helpful reply or share your solution and accept it as solution, it will be helpful for other members of the community who have similar problems as yours to solve it faster .

Thank you very much for your kind cooperation!

Best Regards,
Dengliang Li.

lbendlin · ‎09-18-2024

Don't forget that the connection user scope does not need to match the scope of the report user. In fact, this is one of the min causes for accidental oversharing (exactly the things that RLS is attempting to restrict).

To make matters even more interesting you can be given access to a file in a sharepoint but NOT to the actual sharepoint site. Now that is truly messed up 🙂

willatkinson · ‎09-20-2024

So does this mean someone can view data in a report, even if they don't have access to the sharepoint site?

lbendlin · ‎09-20-2024

Yes, if the connection owner has access.

willatkinson · ‎09-23-2024

Oh ok thanks thats good to know. How do you configure this in the report in the PBI service?

willatkinson · ‎09-23-2024

Configure 2.PNG

Do these authentication methods affect this?

lbendlin · ‎09-23-2024

Not sure what you mean. Only OAuth2 is supported.

Sharepoint online data security

Sharepoint online data security

Helpful resources

Power BI Monthly Update - March 2025

Fabric Community Update - March 2025

Security issue

Unable to connect to csv in sharepoint online

Project Online Change Control Data

Security of published online model

Sharepoint Online enterprise gateway