Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Register now to learn Fabric in free live sessions led by the best Microsoft experts. From Apr 16 to May 9, in English and Spanish.

Reply
Anonymous
Not applicable

RLS issue when a user belongs to multiple AAD groups

‎02-19-2020 05:46 AM

Hi all!

 

I am having some issues with my role-leve-security setup. 

My organization uses Azure Active Directory groups, which usually works fine. However, when a person belongs to multiple groups it soemtimes causes issues in Power BI.

 

For simplicity, let's say that my company has 2 employees. 

Brian is a consultant and belongs in the AAD group staff.all

Tina is a supervisor, so she belongs to the AAD groups staff.all and staff.supervisors

In Power BI, I have set up two roles: Staff and Supervisors

 

Brian should only see data belonging to him, so I have set a rule to the (Employees) table in the 'Staff role':

[email] = USERPRINCIPALNAME()

This works great, and Brian can only see himself on the project 'Cloud Migration'. 

 

Tina is a supervisor in Finland, so she should see all projects in Finland.  I have set a rule on the (Projects) table in the 'Supervisors role':

[Country] = "Finland"

This is where things go wrong. Tina still only sees the project she works for. If I remove Tina from staff.all, the issue goes away (but this is not an option). I have also tried adding '1 = 1' or 'TRUE()' to the Employees table for the 'Supervisors role'. Neither help.  

 

rls.png

 

Has anyone experienced a similar issue and know of a way to solve this?

Labels:
Message 1 of 7
1,385 Views
0
6 REPLIES 6
parry2k
Super User
Super User

‎02-19-2020 09:12 PM

@Anonymous based on your example, Tina would see only project 8 as that is the only one belongs to Finland, if you have more than two projects in Finland. Whcih roles you are enabling when you are testing RLS? 



Subscribe to the @PowerBIHowTo YT channel for an upcoming video on List and Record functions in Power Query!!

Learn Power BI and Fabric - subscribe to our YT channel - Click here: @PowerBIHowTo

If my solution proved useful, I'd be delighted to receive Kudos. When you put effort into asking a question, it's equally thoughtful to acknowledge and give Kudos to the individual who helped you solve the problem. It's a small gesture that shows appreciation and encouragement! ❤


Did I answer your question? Mark my post as a solution. Proud to be a Super User! Appreciate your Kudos 🙂
Feel free to email me with any of your BI needs.

Message 2 of 7
1,353 Views
0
Anonymous
Not applicable
In response to parry2k

‎02-20-2020 12:18 AM

Project 10 also belongs to Finland. No employees are assigned to it, but I still want Tina to see it. 

 

Shouldn't Power BI choose the least restrictive role or the role that returns the most data? 

Message 3 of 7
1,348 Views
0
parry2k
Super User
Super User
In response to Anonymous

‎02-20-2020 04:05 AM

@Anonymous no, you have to tell which role to use, if you are using both the roles for Tina, you will not see project 10. There is no concept of least role or role that returns most of the data.



Subscribe to the @PowerBIHowTo YT channel for an upcoming video on List and Record functions in Power Query!!

Learn Power BI and Fabric - subscribe to our YT channel - Click here: @PowerBIHowTo

If my solution proved useful, I'd be delighted to receive Kudos. When you put effort into asking a question, it's equally thoughtful to acknowledge and give Kudos to the individual who helped you solve the problem. It's a small gesture that shows appreciation and encouragement! ❤


Did I answer your question? Mark my post as a solution. Proud to be a Super User! Appreciate your Kudos 🙂
Feel free to email me with any of your BI needs.

Message 4 of 7
1,341 Views
0
Anonymous
Not applicable
In response to parry2k

‎02-20-2020 04:18 AM

I think when you say "you have to tell which role to use", you are refering to the desktop feature "View as role", correct? But what about when the user actually logs in using his/her USERPRINCIPALNAME() and belongs to two different AD groups which have two different role-settings in PBI? 

Message 5 of 7
1,338 Views
0
parry2k
Super User
Super User
In response to Anonymous

‎02-20-2020 04:24 AM

@Anonymous IN power bi service, you will add user to respective role, here is how to do this



Subscribe to the @PowerBIHowTo YT channel for an upcoming video on List and Record functions in Power Query!!

Learn Power BI and Fabric - subscribe to our YT channel - Click here: @PowerBIHowTo

If my solution proved useful, I'd be delighted to receive Kudos. When you put effort into asking a question, it's equally thoughtful to acknowledge and give Kudos to the individual who helped you solve the problem. It's a small gesture that shows appreciation and encouragement! ❤


Did I answer your question? Mark my post as a solution. Proud to be a Super User! Appreciate your Kudos 🙂
Feel free to email me with any of your BI needs.

Message 6 of 7
1,335 Views
0
Anonymous
Not applicable
In response to parry2k

‎02-20-2020 04:29 AM

Yes, of course this is done.

Here you see Tina's AAD roles. 

All users - staff.<country>.distribution on the picture, is the staff.all group I described in this post. They only see their own data using email = USERPRINCIPALNAME()

 

But when she belongs to two groups, it puts limitations on the data she sees. 

 

rlsroles.png

Message 7 of 7
1,333 Views
0

Helpful resources

Announcements
Microsoft Fabric Learn Together

Microsoft Fabric Learn Together

Covering the world! 9:00-10:30 AM Sydney, 4:00-5:30 PM CET (Paris/Berlin), 7:00-8:30 PM Mexico City

PBI_APRIL_CAROUSEL1

Power BI Monthly Update - April 2024

Check out the April 2024 Power BI update to learn about new features.

April Fabric Community Update

Fabric Community Update - April 2024

Find out what's new and trending in the Fabric Community.

View All