Urgh! What a horrifically click baity title for a blog… Still, you’re here now anyway, so you may as well read on. I wanted to capture this as a blog as an aide memoire to myself as much as anything else, so I don’t fall for this RLS (or ‘Row Level Security’ to give it its full moniker) trap again.

It has happened to me twice in a week when helping out some colleagues, and for me there is a blind spot in the Microsoft documentation that doesn’t explicitly call this behaviour out.

The Problem

So to set the scene, I had a colleague ask for some help because a user was getting an error message when trying to load a report. The set up we had was a shared dataset in its own workspace, and then reports published to a separate workspace.

“Classic”, I figured, “I bet he’s forgotten to give read access directly on the dataset” which seems to be a step commonly forgotten (and let’s face it, it’s a slightly clunky and unintuitive step to execute). I was right, that’s exactly what had happened… Except that still didn’t fix the access issue.

We were faced with this error message:

And it turned into a real head scratcher. We tried adding build access on the dataset, we tried it if the report was published to an app, but we had no joy.

The Answer

Then I asked, “Does the dataset have any row level security?”

The answer was that somebody had set up some RLS roles, but as yet they weren’t being used. So we tried adding a user to one of the roles and BINGO, it worked!

It turns out that if you have added RLS roles to your dataset, then if someone only has Viewer access on the report then they MUST be a member of one of those roles. 

I hadn’t realised this is how it works. The expressions used to apply the RLS on the dataset are effectively DAX expressions that apply a filter context to the data. I always figured that being a member of an RLS role meant that filter is applied, but if you’re not a member of the group, you still see everything.

And as a developer, it’s quite easy to miss this behaviour. RLS is only applied to users with the Viewer role in a workspace and as the developer of the dataset you will always have either Admin, Member or Contributor access on the workspace, so RLS doesn’t apply to you.

Having now read the Microsoft documentation on this 4 or 5 times, I’m convinced that this condition is not explicitly called out. Please check it out here and let me know if you can find reference to this particular behaviour.

In the meantime though, please realise that if you setup RLS on a dataset, you HAVE to use it for read only users.


0 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *