I’m facing an issue with Looker Data Studio related to data masking in BigQuery.

I have a table in BigQuery: "kz-x-si.Looker.deposit_withdrawal_registration_metrics". My IAM roles include owner, masked_reader, and fine-grained_reader. I’ve applied a data policy to one of the columns (SHA-256 data masking policy tag for phone numbers) [refer SS below].

When I add this table to Looker Data Studio, I can see the phone numbers unmasked, which makes sense because I have both masked_reader and fine-grained_reader permissions [refer SS below].

However, I recently added a new user (new principal) to the IAM section of my project, giving them only masked_reader access (no fine-grained_reader), and then shared the Looker dashboard with them with view-only permissions. To my surprise, this user can also view the unmasked phone numbers, which contradicts my understanding of how data masking should work.

I expected that users with only masked_reader access would see the masked version of the phone numbers, not the unmasked data. Could anyone help explain why this might be happening or suggest how I can properly enforce the data masking?