Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Register now to learn Fabric in free live sessions led by the best Microsoft experts. From Apr 16 to May 9, in English and Spanish.

Reply
spowell
Frequent Visitor

Users with multiple security roles suddenly can't see data

‎12-21-2021 10:15 AM

Hello,

 

Our organization recently ran into a problem that seems to be coming out of the blue. We have a Power BI report connected to a SQL server that uses row-level security and security roles to manage which of our internal users can see which data. Each of the report's tables has bidirectional security filtering [EDIT: none of the tables have bidirectional security filtering], and as far as I know this has been the case since the beginning. Users are assigned to roles based on which accounts they work on, so all users have multiple security roles and that has also been the case since the beginning. Every security role filters every table in the report. This has worked up until today.

 

Now many of our users are getting an error that says, "The user belongs to multiple roles that have security filters, which isn't supported when one of the roles has filters affecting the table 'Table Name' with SecurityFilteringBehavior=Both relationships." Some users have different values in the 'Table Name' slot, which suggests this isn't just one table that got its security filter setting flipped for some reason.

 

Two users with admin access to the workspace where the report is published are having no issues and don't see any errors.

 

I am at a loss to figure out what is going on, since the report was last republished weeks ago and no settings have been deliberately changed in the meantime. But it may be some setting I'm overlooking. Can you think of any troubleshooting steps I can take? Are there workarounds for this? Every security role filters every table in the report (two dozen security roles at this point x 5 tables), and this worked previously, so not looking for solutions that will require the tables to self-filter by user or that require the report to be restructured (since that would require a lengthy IT approval process) except as an absolute last resort... I just want to figure out what changed so I can undo it.

 

Thanks for any help you can offer.

 

ETA additional information: I discovered a few more details talking to users seeing the errors. There are some visuals that are still working and some that do not. Which visuals have an error is consistent between users with different security roles, so my next step will be checking the formulas for each of the columns and measures that those visuals have in common to see if there is any additional filtering behavior in them that might be an issue. I'll check that and post an update here afterward.

Labels:
Message 1 of 26
5,929 Views
0
2 ACCEPTED SOLUTIONS
bcdobbs
Super User
Super User
In response to bcdobbs

‎12-22-2021 01:02 AM

It does appear to be a feature change.

 

I've built exactly the same model in Power Bi Desktop 2.99.862.0 64-bit (November 2021)

 

bcdobbs_0-1640163541450.png

Relationship isn't flagging as being limited in this version.

 

If I view as two roles it works fine:

bcdobbs_1-1640163598926.png

@AlexisOlson have you seen any documentation on this?



Ben Dobbs

LinkedIn | Twitter | Blog

Did I answer your question? Mark my post as a solution! This will help others on the forum!
Appreciate your Kudos!!

View solution in original post

Message 16 of 26
5,769 Views
spowell
Frequent Visitor

‎01-13-2022 02:10 PM

I wanted to return and describe how I solved this issue in a way that allowed us to continue using multiple security roles for users, rather than the cumbersome workaround of having to define a custom role for each user.

 

For each table that had a many-to-many relationship with the main dataset, I used a step in Power Query to make a list of the unique values of their shared columns (in our case, taking unique values from the main dataset only, because unmatched values in the lookup tables don't matter). For example, the "Client Labels" table was connected to the "Current Dataset" table by client names in a many-to-many relationship where "Current Dataset" filtered "Client Labels" but not the other way around, so I created a list of unique client names, sorted it for human readability, and added it to the data model as an intermediary table.

 

let
    Source = List.Distinct(#"Current Dataset"[Client]),
    #"Sorted Items" = List.Sort(Source,Order.Ascending)
in
    #"Sorted Items"

 

Then I connected the new intermediary table to the "Current Datasets" table in a many-to-one relationship which allowed two-way filtering, and to the "Client Labels" table in a many-to-one relationship with one-way filtering. (You can't have two-way filtering of the same table from two different relationships, so you will need to prioritize which of the tables controls filtering of the intermediary table and which is subject to filtering only.)

 

I did this for each of the many-to-many relationships in the data model, deactivated the old relationships, and activated the new ones. This fixed the problem completely.

 

One thing to keep in mind is that the "Allow security filter in both directions" box needs to be unchecked for the relationships with two-way filtering. If it gets checked you'll have the same RLS error pop up for users with multiple roles.

View solution in original post

Message 24 of 26
5,067 Views
25 REPLIES 25
bcdobbs
Super User
Super User
In response to bcdobbs

‎12-23-2021 11:19 PM

@v-yiruan-msft can you give any information from Microsoft on this?



Ben Dobbs

LinkedIn | Twitter | Blog

Did I answer your question? Mark my post as a solution! This will help others on the forum!
Appreciate your Kudos!!
Message 19 of 26
805 Views
0
spowell
Frequent Visitor
In response to bcdobbs

‎12-22-2021 09:45 AM

Hi bcdobbs,

 

Yes, I was using November's version of Power BI. I updated to the December version and now I can also recreate the errors on desktop by viewing as multiple roles.

 

So that at least explains why it's happening now.

 

Thanks for all your help tracking down the source of the issue. If an intermediary table to break up the many-to-many relationships is viable for us, that does seem like the better long-term solution. Either way I have an explanation of what happened and a couple leads to follow for fixing it. Thank you!

Message 18 of 26
931 Views
AlexisOlson
Super User
Super User
In response to bcdobbs

‎12-22-2021 07:09 AM

Nope. I have seen and can't find any relevant documentation.

 

 

Message 17 of 26
819 Views
0
spowell
Frequent Visitor
In response to bcdobbs

‎12-21-2021 02:13 PM

That's what everything I found said, too, and I'm at a loss to explain what changed.

 

No, this is affecting a number of visuals on the main page of our report, and the user who discovered it is a frequent user who only noticed the issue today.

 

I am thinking as a temporary solution we're going to rework the way security roles work so that each person has 1 role that uses a DAX expression to filter to the accounts they're assigned to, instead of assigning users to roles at the service level. It will be less convenient but hopefully that will fix it.

 

Thank you for your help. I'll mark your last post as a solution since it doesn't sound like this is something we should ever have been able to do. (Still scratching my head that we were able to get away with it so long!)

Message 9 of 26
660 Views
0
bcdobbs
Super User
Super User

‎12-21-2021 10:45 AM

Just for clarity is the dataset setup in import mode and the RLS is defined in the dataset? Eg not direct query with SQL server handling the RLS?



Ben Dobbs

LinkedIn | Twitter | Blog

Did I answer your question? Mark my post as a solution! This will help others on the forum!
Appreciate your Kudos!!
Message 2 of 26
680 Views
0

Helpful resources

Announcements
Microsoft Fabric Learn Together

Microsoft Fabric Learn Together

Covering the world! 9:00-10:30 AM Sydney, 4:00-5:30 PM CET (Paris/Berlin), 7:00-8:30 PM Mexico City

PBI_APRIL_CAROUSEL1

Power BI Monthly Update - April 2024

Check out the April 2024 Power BI update to learn about new features.

April Fabric Community Update

Fabric Community Update - April 2024

Find out what's new and trending in the Fabric Community.

View All