Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Register now to learn Fabric in free live sessions led by the best Microsoft experts. From Apr 16 to May 9, in English and Spanish.

Reply
Anonymous
Not applicable

Row Level Security (RLS)

‎07-25-2016 02:00 PM

Hi, everyone. 

 

I am testing out row level security in my pbix file and it is not working as expected. I am pulling in CRM data. I have a "System Users, Aggregate" table that brings in security roles, business units, and team, in addition to user information. Because people can have more than one security role (e.g. System Admin, Sales Manager) I need to also include a "System Users" table that only has each user once. I can then join these tables using the UserID.

 

I have "Opportunities" that I am trying to filter for Users that have a specific Business Unit or Role. So I connect "System Users" to "Opportunities". At this point, I have "System Users, Aggregate" connected to "System Users" and "System Users" connected to "Opportunities". I have a RLS role where "System Users, Aggregate > Business Unit = 'Division 1'" And yet, when I turn on this role, it does not filter "System Users" at all, and therefore "Opportunities" are not filtered. 

 

And when I edit the relationship and try and click the "Apply security filter in both directions" when the Cross Filter Direction is set to both, I get an error that says "Table 'System Users Agg' is configured for row-level security, introducing constrains on how security filters are specified. the setting for security filter behavior...cannot be both. 

 

This confuses the heck out of me! The cross filter direction has to be both in order for the security filter to be applied in both directions, as the setting indicates. And it only makes sense that way. I have a value in Table 3 that I want to use to filter Table 1. they are joined via Table 2. Based on the experience I am seeing, this does not seem possible. 

 

I can send screenshots of anyone wants to see.

 

Thanks, Scott

 

 

Labels:
Message 1 of 6
3,782 Views
0
5 REPLIES 5
idanco
Advocate II
Advocate II

‎07-31-2016 05:02 AM

Hi,

 

I managed to resolve the similar issue i was facing by reading Kaspar's article about Dynamic RLS with BI Directional

http://download.microsoft.com/download/2/7/8/2782DF95-3E0D-40CD-BFC8-749A2882E109/Bidirectional%20cr...

(specifically look at the schema on page 28)

 

Send me a screenshot of your schema and i will let you know how i resolved it.

Message 6 of 6
3,716 Views
0
Greg_Deckler
Super User
Super User

‎07-25-2016 02:11 PM

I think that what you want to do is to create an RLS role, for Opportunities, Business Unit = 'Division 1' and then add the Division 1 users into that role.


@ me in replies or I'll lose your thread!!!
Instead of a Kudo, please vote for this idea
Become an expert!: Enterprise DNA
External Tools: MSHGQM
YouTube Channel!: Microsoft Hates Greg
Latest book!: The Definitive Guide to Power Query (M)

DAX is easy, CALCULATE makes DAX hard...
Message 2 of 6
3,777 Views
0
Anonymous
Not applicable
In response to Greg_Deckler

‎07-26-2016 05:39 AM

Thanks, @Greg_Deckler. Technically, I could do a merge query on Opportunities that brings in the related information from teams, business units, etc, but that seems like a fundamental shortcoming of RLS right now. I would assume that I can filter 'grandparent' and 'parent' records based on my selection criteria on the child record.

 

By way of example, let's say the Opportunity is owned by John Smith. And the Users table has John Smith and several other people in it. And then the Aggregated Users table shows that John Smith is on Team A. Then if I have a RLS role where Aggregated Users = Team A, then I would assume I could use that to filter the Users table so only John Smith is returned, and then in turn this would filter the Opportunity table so that only the record owned by John Smith is returned.

 

The alternative is a series of merged fields and an excessive number of roles that cover every eventuality. THAT would be a huge pain in the neck.

 

Hopefully, I am overlooking something obvious here. Or perhaps RLS really just isn't ready for primetime yet?

 

Best,

Scott 

Message 4 of 6
3,752 Views
0
v-yuezhe-msft
Employee
Employee
In response to Anonymous

‎07-30-2016 12:11 AM

Hi @Anonymous,

Based on your description, "System Users, Aggregate" table (Many side) and "System Users" table(One side) have many to one relationship, when you create a RLS role where "System Users, Aggregate > Business Unit = 'Division 1'", it doesn’t filter "System Users" table, right? If that is the case, we reported this issue internally two months ago and  got an update from our product team that this behavior of RLS is by design. For more details, please check this similar thread.

Currently, to make RLS work as expected in your scenario, you will need to merge query on Opportunities and create a RLS role that Business Unit = 'Division 1' in Opportunities table.

Thanks,
Lydia Zhang

Community Support Team _ Lydia Zhang
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.
Message 5 of 6
3,720 Views
0
idanco
Advocate II
Advocate II
In response to Greg_Deckler

‎07-26-2016 01:14 AM

Hi,

 

I have the same issue - probably a preview feature bugs ? 

 

Message 3 of 6
3,756 Views
0

Helpful resources

Announcements
Microsoft Fabric Learn Together

Microsoft Fabric Learn Together

Covering the world! 9:00-10:30 AM Sydney, 4:00-5:30 PM CET (Paris/Berlin), 7:00-8:30 PM Mexico City

PBI_APRIL_CAROUSEL1

Power BI Monthly Update - April 2024

Check out the April 2024 Power BI update to learn about new features.

April Fabric Community Update

Fabric Community Update - April 2024

Find out what's new and trending in the Fabric Community.

View All