Force dataset takeover to new after manipulation of dataset
Whenever a user overwrites a dataset in the Power BI Service he should be forced to takeover the dataset, to make sure this user is authorized for the connected data sources.
Gateway datasource are authorized to certain users only. According to the documentation only these users should be able to publish reports that use the data source and therefore to decide what information is made available to the consumers of the report.
By downloading the PBIX file, changing and republishing the dataset any edit user of the workspace can extract any data they want from the data source even though these users might not be authorized for the source.
In our scenario central IT provides a report accessing a data source in import mode. The report is published to the department workspace and connected to the gateway by central IT who is authorized for the gateway data source. The report filters the data for the department. The members of the workspace can now work with the report especially they can use the data model in their reports as the source. They can also download the pbix file and work in Power bi desktop, which is OK. In this case their personal user for the datasource is used and RLS in the source system handles the security.
The problem is that they can also republish the report without automatically taking over the dataset. The changed dataset stays connected to the gateway connection that uses a technical user that can access all data in the source. This way they can highjack the report in their workspace to select any data they want from the datasource.
Basically this means that connecting a dataset to gateway datasource will provide the privileages for the gateway connection to any member, contributor and admin of the workspace.
In our Opinion, if a user republishes a dataset he should automatically takeover the dataset so the connection to the gateway connection is lost.
This is of course only necessary if the user is different from the owner of the dataset.