Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Earn a 50% discount on the DP-600 certification exam by completing the Fabric 30 Days to Learn It challenge.

Reply
freidav1984
Frequent Visitor

Dynamic Row-Level-Security not working in service

‎08-08-2023 05:33 AM

Hi All!

 

I have a report where I set up dynamic row level security.

I have a brand_user assignment table, which contains the following fields:

  • id (counter)
  • user name - name
  • e-mail (equal to username())
  • userid (equal to userprincipalname())
  • brand

 

I also have a fact table, which contains plenty of transactional data. Also contains the brand in a column.

I created a many-to-many relationship via the brand fiel between the brand_user_addignment table and the fact table. The filter is a one-directional: brand assignment filters the fact table. 

 

I created a row level security on the brand assignment table for power bi desktop testing purposes (RLS_desktop): [email] = username() // this works fine in desktop.

 

But the final rls rule, which I created for BI service is not working, does not filter. (This is RLS_service - filters also the brand_assignment talbe): [userid] = userprincipalname().

 

I also created a measure, to show the userprincipalname() in the power bi service, and it shows the correct userid, for which I want to make the filtering. 

I also added the user to the rls in the power bi service at the dataset's security menu.

 

Do you have any idea what am I doing wrong?

I did researches, I found posts that the actual user name in the service might not match the userprincipalname? Or is there any mistake I have done?

 

Thx!

 

David

Labels:
Message 1 of 6
860 Views
0
1 ACCEPTED SOLUTION
JR-DCPS
Advocate II
Advocate II
In response to freidav1984

‎08-18-2023 07:39 AM

Did you remember to add users to the security group designations after publishing, and ensure that those users are viewers? If a user is designated higher than "Viewer" then RLS won't apply to them; and the users need to be placed in the security group for PBI Service to know which ruleset to apply to them.

View solution in original post

Message 4 of 6
786 Views
5 REPLIES 5
GilbertQ
Super User
Super User

‎08-08-2023 02:56 PM

Hi @freidav1984 

 

I would suggest following Kasper's cheat sheet for learning how to implement dynamic RLS to make sure that you follow the same pattern to get it working.

 

Here is the link: Power BI Desktop Dynamic security cheat sheet - Kasper On BI





Did I answer your question? Mark my post as a solution!

Proud to be a Super User!







Power BI Blog

Message 2 of 6
823 Views
freidav1984
Frequent Visitor
In response to GilbertQ

‎08-18-2023 04:34 AM

Hi,

 

Thx for your answer, I recomposed the data model according to to above mentioned blog. Somehow, did not get any active RLS after I published the report to the power bi service, and I have still no clue, what could've gone wrong... I think I did not skip any minor issue, but who knows...

Message 3 of 6
797 Views
0
GilbertQ
Super User
Super User
In response to freidav1984

‎08-20-2023 09:56 PM

Hi @JR-DCPS 

 

Double check if you have followed the steps as it does work.





Did I answer your question? Mark my post as a solution!

Proud to be a Super User!







Power BI Blog

Message 6 of 6
768 Views
JR-DCPS
Advocate II
Advocate II
In response to freidav1984

‎08-18-2023 07:39 AM

Did you remember to add users to the security group designations after publishing, and ensure that those users are viewers? If a user is designated higher than "Viewer" then RLS won't apply to them; and the users need to be placed in the security group for PBI Service to know which ruleset to apply to them.

Message 4 of 6
787 Views
freidav1984
Frequent Visitor
In response to JR-DCPS

‎08-21-2023 01:27 AM

Hi!


Thx a lot. The workspace viewer was the key element. 

The user got direct access and read permission in my situation. But it seems that rls works with workspace viewer permission. 

As I changed the user permission to workspace viewer, RLS worked.

 

This way, I face the following problem: This user should only see this particular report, and the user is not eligible to view other reports in this workspace. Any idea how to solve this issue in the same workspace, or do I need to create a separate workspace for him / her?

 

Thx a lot!

Message 5 of 6
765 Views
0

Helpful resources

Announcements
PBI_APRIL_CAROUSEL1

Power BI Monthly Update - April 2024

Check out the April 2024 Power BI update to learn about new features.

View All
Top Solution Authors
View All
Top Kudoed Authors
View All