Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Register now to learn Fabric in free live sessions led by the best Microsoft experts. From Apr 16 to May 9, in English and Spanish.

Reply
mramzi
Frequent Visitor

Dynamic RLS using AD-groups, Questions

‎08-04-2021 01:35 AM

Hi,

 

At our firm we want to manage RLS security using Excel files.

These files are managed by the business. We want them to be able give access or take it away, without involvement of the BI-team.

 

For this, we have implemented Dynamic RLS with Excel:

 

[UserMail] = userprincipalname()

 

This solution works when we assign individual emailaddresses to the role.

Not when we assign an AD-group:

 

mramzi_0-1628065694841.png

 

The report loads, but doesn't have any data in it (BI-Controlling is the AD-group with people that need access).

The individuals in the AD-group should each have access to a separate part of the data.

 

Question 1:

Is it possible to decide per user what data can be seen, using Excel, while assiging AD-groups to the role? We don't want to have to assign each user separately.

 

Yes, should work. Solution must have a mistake!

 

Question 2:

As this doesn't work for me, which actions can I take to solve this?

Is there a solution?

 

Debugged solution by adding "userprincipalname()" as a measure and compare to the field on which RLS is applied.

 

Question 3:

We have an AD-group with all members (3000+) of the enterprise.

Assigning this group to a role results in following error:

 

Something went wrong

The role could not be updated. Please try again later.

Please try again later or contact support. If you contact support, please provide these details.

 

 

Works with smaller security-groups, must be the size.

Are their any limitations to the size of an AD-Group?

Any known ways to overcome this? Or does this have an other possible cause?

 

Any help, comments, or input is very welcome.

Have a productive day! 🙂

 

Best regards,

Ramzi

 

Labels:
Message 1 of 6
693 Views
0
1 ACCEPTED SOLUTION
amitchandak
Super User
Super User

‎08-04-2021 05:01 AM

@mramzi , as far as I know, emailed enabled AD group should work. Is this group is email enabled?



View solution in original post

Message 2 of 6
651 Views
5 REPLIES 5
v-yalanwu-msft
Community Support
Community Support

‎08-06-2021 12:36 AM

Hi, @mramzi ;

If you can run success in desktop but fail in service,  In the Power BI service, you can add a member to the role by typing in the email address or name of the user or security group. You can't add Groups created in Power BI. You can add members external to your organization.

vyalanwumsft_0-1628235384850.png

https://docs.microsoft.com/en-us/power-bi/admin/service-admin-rls

Best Regards,
Community Support Team_ Yalan Wu
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

 

How to get your questions answered quickly -- How to provide sample data
Message 5 of 6
612 Views
mramzi
Frequent Visitor
In response to v-yalanwu-msft

‎08-06-2021 01:59 AM

Hi Yalanwu,

 

Thank you for your answer. I am already testing the RLS in that way.

Found the issue elsewhere:

 

In our organisation we have each 2 mail addresses a short one and a long one:

UserCode@Organization.com and firstname.lastname@Organization.com

 

In Power BI Desktop, the first is used. In Power BI Service, the latter is used.

Because another emailaddress is used than expected, the logged user couldn't be mapped to the datamodel. Result: no data.

 

I can fix this by providing a link for both email addresses.

If anybody has more information about this phenomenom, I would be very interested.

 

Kind regards,

Ramzi

Message 6 of 6
602 Views
0
amitchandak
Super User
Super User

‎08-04-2021 05:01 AM

@mramzi , as far as I know, emailed enabled AD group should work. Is this group is email enabled?



Message 2 of 6
652 Views
mramzi
Frequent Visitor
In response to amitchandak

‎08-06-2021 02:23 AM

Hi, Amitchandak,

 

Yes, the group is email enabled, it also apears in the list as sugestion, when i fill in the text-box.

I think it's just to big. Does anybody have experience with using very big security groups for RLS?

 

 

Kind regards,

Ramzi

Message 4 of 6
599 Views
0
mramzi
Frequent Visitor
In response to amitchandak

‎08-04-2021 05:07 AM

Hi amitchandak,

 

Thank you very much for your answer.

 

You're right. When I assign a single user to the role, it doesn't work neither.

Consider Question 1 solved.

 

Addition to question 2:

In Power BI desktop, when I test this role, it works. In Power BI Service, when I test it, it doesn't work?

Anything I can check?

 

Kind regards?

Ramzi

Message 3 of 6
646 Views
0

Helpful resources

Announcements
Microsoft Fabric Learn Together

Microsoft Fabric Learn Together

Covering the world! 9:00-10:30 AM Sydney, 4:00-5:30 PM CET (Paris/Berlin), 7:00-8:30 PM Mexico City

PBI_APRIL_CAROUSEL1

Power BI Monthly Update - April 2024

Check out the April 2024 Power BI update to learn about new features.

April Fabric Community Update

Fabric Community Update - April 2024

Find out what's new and trending in the Fabric Community.

View All