Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Earn a 50% discount on the DP-600 certification exam by completing the Fabric 30 Days to Learn It challenge.

Reply
rebeccaETE
Helper I
Helper I

Object Level Security Security Roles Not Working

‎10-26-2021 12:12 AM

Hi all, 

 

I have implemented two security roles on my dataset that determines whether users can see the Finance table or not. One role is called "FinanceUsers" and the other "NoneFinanceUsers". When I test the NoneFinanceUsers role, it works as it should (breaking report visuals that use fields from that table), but when I add a person to that role and view it for that specific person, it does not work. 

 

I've tried adding myself (owner of dataset) to the NoneFinanceUsers. I can still see everything. I tried adding my boss (admin of workspace to which dataset is published). He can still see everything. I then tried adding a colleague of mine, who is a member of the workspace to which the dataset is published. He could also see everything. 

 

Can anyone explain this behavior to me? I believe I've set up the roles correctly, and since it works when I test the role itself, I don't know why it doesn't work when I add people to the role and test as them.. 

 

Any help is greatly appreciated!  

Labels:
Message 1 of 8
2,654 Views
0
1 ACCEPTED SOLUTION
v-rzhou-msft
Community Support
Community Support
In response to rebeccaETE

‎10-31-2021 08:05 PM

Hi @rebeccaETE 

If people can see all data without being assigned any security role, they should have edit permission in Power BI workspace. There are two kinds of app workspace in Power BI Service.

New workspace: admins, members and contributors have edit permission.

You may refer to this blog about roles in new workspace.

Classic workspace: only has two roles admin and member. Admin can assign edit or view permission to member in this classic workspace.

For reference:Create a classic workspace based on a Microsoft 365 group

Could you tell me if your problem has been solved? If it is, kindly Accept it as the solution. More people will benefit from it. Or you are still confused about it, please provide me with more details about your problem.

 

Best Regards,
Rico Zhou

 

If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

 

 

 

View solution in original post

Message 7 of 8
2,481 Views
7 REPLIES 7
rebeccaETE
Helper I
Helper I

‎10-26-2021 12:25 AM

I found this on a blog post on the matter (https://5minutebi.com/2021/07/05/power-bi-object-level-security/

 

rebeccaETE_0-1635233029071.png

 

Can that really be? So the Contributor and Member roles in a given workspace automatically supersedes the OLS roles? That seems weird. 

 

Message 2 of 8
2,634 Views
v-rzhou-msft
Community Support
Community Support
In response to rebeccaETE

‎10-28-2021 01:06 AM

Hi @rebeccaETE 

The end user needs to only have read permission to the report. I test OLS, I find it is similar like RLS in Power BI. If your end user have edit permission to the report, the OLS/RLS will not work. They could see all things in your report.

 

Best Regards,
Rico Zhou

 

If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

Message 3 of 8
2,567 Views
0
rebeccaETE
Helper I
Helper I
In response to v-rzhou-msft

‎10-28-2021 01:15 AM

Hi @v-rzhou-msft,

 

Yes but having read access to the report doesn't ensure that they can see the report, if they are not in OLS roles, I found. 

 

My colleague had read access to the data model and the app to which I published the report. But if hadn't put him in any of the OLS roles, he couldn't see the report at all. He had build access to the model also, and that did not matter. 

 

I also tried testing his build access, when in the role "cannot see table". Sure enough, if he connected to the model, he could see all the tables EXCEPT the one locked by OLS. 

 

So I found that build access does not supersede OLS. However, workspace membership does. When I added him to the workspace to which the data model is published, it didn't matter what OLS role I gave him, he could see everything. 

 

Are these the same result you got when testing it? 

Message 4 of 8
2,551 Views
0
v-rzhou-msft
Community Support
Community Support
In response to rebeccaETE

‎10-28-2021 07:33 PM

Hi @rebeccaETE 

Edit permission does not mean build permission to the dataset. It means edit permission the workspace memvers like admin, member or contributor assigned in their workspace. You need to add the users into the role in Security in Power BI Service. Or the users don't have edit permission will see nothing due to OLS.

For reference: Using RLS with workspaces in Power BI

Even if Viewers are given Build permissions to the dataset, RLS/OLS still applies. Workspace members assigned AdminMember, or Contributor have edit permission for the dataset and, therefore, RLS doesn’t apply to them. If you want RLS to apply to people in a workspace, you can only assign them the Viewer role.

 

Best Regards,
Rico Zhou

 

If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

Message 5 of 8
2,534 Views
0
rebeccaETE
Helper I
Helper I
In response to v-rzhou-msft

‎10-29-2021 02:35 AM

Hi @v-rzhou-msft 

 

Yes, that is exactly what I found. Just didn't know that workspace membership (with that I mean members, admins and contributors) was called "edit permission". Still new to all this terminology 😅

 

What I was afraid of originally was that people not assigned any security role could view the data as default, since I heard many say that the default permission is equivalent to read in Tabular Editor. But I found that that was not the case, so I'm more confident with using OLS now. 

 

Thanks for taking your time with this  

Message 6 of 8
2,514 Views
0
v-rzhou-msft
Community Support
Community Support
In response to rebeccaETE

‎10-31-2021 08:05 PM

Hi @rebeccaETE 

If people can see all data without being assigned any security role, they should have edit permission in Power BI workspace. There are two kinds of app workspace in Power BI Service.

New workspace: admins, members and contributors have edit permission.

You may refer to this blog about roles in new workspace.

Classic workspace: only has two roles admin and member. Admin can assign edit or view permission to member in this classic workspace.

For reference:Create a classic workspace based on a Microsoft 365 group

Could you tell me if your problem has been solved? If it is, kindly Accept it as the solution. More people will benefit from it. Or you are still confused about it, please provide me with more details about your problem.

 

Best Regards,
Rico Zhou

 

If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

 

 

 

Message 7 of 8
2,482 Views
rebeccaETE
Helper I
Helper I
In response to v-rzhou-msft

‎11-03-2021 12:09 AM

Hi @v-rzhou-msft 

 

Yes, thank you for clarifying. That answered my question of why OLS did not work for my two colleagues and myself, as we are part of the workspace. 

 

Cheers!

Message 8 of 8
2,448 Views
0

Helpful resources

Announcements
LearnSurvey

Fabric certifications survey

Certification feedback opportunity for the community.

PBI_APRIL_CAROUSEL1

Power BI Monthly Update - April 2024

Check out the April 2024 Power BI update to learn about new features.

April Fabric Community Update

Fabric Community Update - April 2024

Find out what's new and trending in the Fabric Community.

View All