Users with access to reports and/or widgets on a dashboard can view the counts for data that they would not normally have access to due to ACL restrictions on the source table.
A user viewing a dashboard containing reports or widgets for a table they are restricted from viewing by ACLs can still see the data on the report/widget. however, when they click through to the list no data will be returned.
Reports and widgets do not evaluate ACLs when processing data to be displayed.
When you click through to the list, the data is not displayed as expected, due to the ACLs being evaluated for each record displayed.
This is the expected behaviour and no workaround is available.
Possible options for mitigating access to the data is to:
- Ensure that the dashboards shared with a user contain only data they can also access.
- Use a Before Query Business Rule to restrict access to data if possible instead of the ACL.