Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Register now to learn Fabric in free live sessions led by the best Microsoft experts. From Apr 16 to May 9, in English and Spanish.

Reply
imranamikhan
Helper V
Helper V

Row Level Security using User Principal Name (UPN)

‎06-24-2019 08:16 PM

Hi,

 

I am trying to set up Row Level Security to restrict the data a user can view based on their e-mail address but I am having an issue.

 

Context:

 

Table A is what users have access to. This table contains data with account codes.

 

Table B contains accounts codes together with the user name and e-mail of the users assigned to that account code.

 

Because a user can be linked to multiple account codes, I have created a simple bridge table which contains unique account codes to create a relationship between Table A and Table B.

 

Sample 2.PNG

 

As a check to ensure Table A is correctly filtering account codes based on a users’ e-mail address. I added Table A and Table B to a test page, and then selected an e-mail address from Table B to see if the Table A correctly displayed only account codes linked to the selected e-mail address. This worked as expected.

 

Sample.PNG

 

I would now like to replicate this functionality into a role using row level security. I have tried to do this using User Principal Name (UPN) by creating a role with the following expression:

 

[E-mail Address] = userprincipalname()

 

This does not work after testing. I even added even USERPRINCIPALNAME() to a card to check if the e-mail address displayed correctly and it did.

 

I suspect I am missing something obvious and I would appreciate it if anyone could take a look.

 

Best regards,

Labels:
Message 1 of 10
13,740 Views
0
1 ACCEPTED SOLUTION
Anonymous
Not applicable
In response to jdbuchanan71

‎07-03-2019 12:34 PM

Never mind. I figured out what I was doing wrong. I think part of my brain is already floating on the lake, totally NOT thinking about Power BI. 🙂

 

I just forget to both click "View As" and also select the role. Again, total brain fail I am blaming on the upcoming holiday.

 

Thanks! Scott

View solution in original post

Message 10 of 10
13,665 Views
9 REPLIES 9
Anonymous
Not applicable

‎07-03-2019 11:08 AM

Did you ever this this resolved? I am wondering if RLS/View As Roles is buggy in the latest PBI Desktop release? I have a lot of experience with RLS and using UserPrincipalName() in roles. However, now, when I use my own user, the security role works fine. But as soon as I use View As Role with any value, it just returns all the data. This is obvious not how it is supposed to work.

 

Is anyone else have issues like this with the most recent release?

Message 5 of 10
13,681 Views
0
jdbuchanan71
Super User
Super User
In response to Anonymous

‎07-03-2019 11:11 AM

I ran into odd behavior if the person I view as was a member of the workspace.  I think it's because the user can get to the dataset that RLS doesn't filter it down.  Perhaps try it as a user you have just shared the report with?

Message 6 of 10
13,680 Views
0
Anonymous
Not applicable
In response to jdbuchanan71

‎07-03-2019 12:34 PM

Never mind. I figured out what I was doing wrong. I think part of my brain is already floating on the lake, totally NOT thinking about Power BI. 🙂

 

I just forget to both click "View As" and also select the role. Again, total brain fail I am blaming on the upcoming holiday.

 

Thanks! Scott

Message 10 of 10
13,666 Views
Anonymous
Not applicable
In response to jdbuchanan71

‎07-03-2019 11:18 AM

I am testing in PBI Desktop. And I just did one more test. The role is straigtforward - '[e-mail] = userprincipalname()' and then I entered a valid email into the View As Role textbox 'test@email.com'. This still (incorrectly) returned all the values in the table, not just the ones I own. I then changed the security role to '[e-mail] = 'test@email.com"' and when I applied it, only the records owned by that email came back, as is supposed to happen.

 

Again, I think it is a bug.

Message 7 of 10
13,659 Views
0
smishra99acres
Frequent Visitor
In response to Anonymous

‎02-20-2023 10:00 PM

Same issue facing how did you solve this issue.i am getting all data except that i own

Message 9 of 10
3,885 Views
0
smishra99acres
Frequent Visitor
In response to Anonymous

‎02-20-2023 09:09 PM

Hav you got the solution? i am facing same issue

Message 8 of 10
3,892 Views
0
svishwanathan
Helper III
Helper III

‎06-24-2019 09:45 PM

Hi 

Can you elaborate what you mean by row level security is not working. How are you testing this? You would create the measure under Modelling> Manage Roles. Be sure to pick the correct table this measure should filter against

 

You may find this useful

https://www.blue-granite.com/blog/using-dynamic-row-level-security-with-organizational-hierarchies

Message 2 of 10
13,730 Views
jdbuchanan71
Super User
Super User
In response to svishwanathan

‎06-24-2019 10:14 PM

After publishing the report with the role Test with the filter [E-mail Address] = userprincipalname() did you add the users to the Test role in the Power BI service?

https://docs.microsoft.com/en-us/power-bi/service-admin-rls

One way that makes it easier is to add an active directory security group to the role.  You can also share the report with the security group.  That way, when a new employee comes on, if they get added to that security group, the report is already shared with them and RLS is applied.

One other note, for the long list of filters, instead of

[Group Company Code] = "DE14" || [Group Company Code] = "DE12" || [Group Company Code] = "DE11" || [Group Company Code] = "DE10" || [Group Company Code] = "DE09" || [Group Company Code] = "DE08" || [Group Company Code] = "DE07" || [Group Company Code] = "DE06" || [Group Company Code] = "DE05" || [Group Company Code] = "DE04" || [Group Company Code] = "DE03" || [Group Company Code] = "CH05" || [Group Company Code] = "CH03" || [Group Company Code] = "CH02" || [Group Company Code] = "AT03" || [Group Company Code] = "AT0220" || [Group Company Code] = "AT0210" || [Group Company Code] = "AT0200"

you can use the new IN function

[Group Company Code] IN {"AT0200", "AT0210", "AT0220", "AT03", "CH02", "CH03", "CH05", "DE03", "DE04", "DE05", "DE06", "DE07", "DE08", "DE09", "DE10", "DE11", "DE12", "DE14"}

 

Message 3 of 10
13,718 Views
imranamikhan
Helper V
Helper V
In response to jdbuchanan71

‎07-01-2019 07:24 AM

Hi both,

 

Apologies for the delayed response. Thanks for the tip re the IN function.

 

Because Table A and Table B have a relationship, what I mean by row level security not working is that when I publish the report to the Power Bi Service, or select View as Roles in Desktop mode, I expect Table A to display only data relevant to the e-mail address of the person who opened the report (via the userprincipalname expression). As noted in more detail in my first post, if I select an e-mail address from Table B in Desktop, Table A correctly displays data relevant to the selected e-mail address in Table B (because of the relationship between the tables).

 

One possible clue is that I have created this role against Table B (Security Mapping) rather than Table A (FPI & Accounts). I have done this because it is that table which has the e-mail address.

 

I hope this is clearer.

 

Best regards,

 

Sample.PNG

Message 4 of 10
13,699 Views
0

Helpful resources

Announcements
Microsoft Fabric Learn Together

Microsoft Fabric Learn Together

Covering the world! 9:00-10:30 AM Sydney, 4:00-5:30 PM CET (Paris/Berlin), 7:00-8:30 PM Mexico City

PBI_APRIL_CAROUSEL1

Power BI Monthly Update - April 2024

Check out the April 2024 Power BI update to learn about new features.

April Fabric Community Update

Fabric Community Update - April 2024

Find out what's new and trending in the Fabric Community.

View All