I have RLS set up for supervisor and designer views, where [designer email] = userprincipalname(), and [supervisor email] = user principalname() in 2 separate roles. Testing within desktop there are no issues, but testing within service doesn't work for everyone.
I have ensured everyone has read/reshare access, and have been assigned to their respective roles.
I think I figured out the issue. At some point, a teams group was added to the workspace permissions with more than viewer access. I went through the members of the teams group, and sure enough all of them were bypassing RLS, while other users not members of that group had the restricted view.
That being said, I do like what you are doing with the security table. It sounds a lot cleaner. I'll have to play around with it a bit.
Some users are able to only view the data for themselves (designer role) or all designers underneath them (supervisor role), which is correct. Other users in each role are able to see all data.
Okay. You'll need to provide more on how you have the security groups configured and if there's any groups beyond the two you mentioned. There may be a logic gap there. Either that or do any of the users that see everything set to something other than "Read/viewer"? Users with higher priveleges ignore RLS rules.
The reason it all worked on Power BI Desktop is because you can set it to any combination of user and group you desire--even if it wouldn't occur on the server version.
Both fields set equal to userprincipalname are from the same table from a sql server. All users only have read access. This seemed to be the most common issue during my research of the issue. There are no other roles, nor do users belong to both roles. I'm just confused as to how it works for majority of users in service and not for others.
Yeah, that should be working without issue. I use a security lookup table for my RLS needs, essentially matching a user to the particular components they need and keep RLS consistent among multiple dashboards. It may be a little extra work on your end, but it might round out the stragglers when a table outright says what permissions they have. If the problem users still see everything with that in place, then it has to be some sort of view/member issue.
I think I figured out the issue. At some point, a teams group was added to the workspace permissions with more than viewer access. I went through the members of the teams group, and sure enough all of them were bypassing RLS, while other users not members of that group had the restricted view.
That being said, I do like what you are doing with the security table. It sounds a lot cleaner. I'll have to play around with it a bit.
Thanks for the help!
Helpful resources
Announcements
Power BI Monthly Update - April 2024
Check out the April 2024 Power BI update to learn about new features.
