Showing results for 
Search instead for 
Did you mean: 

Security issue with live ssas connection

There seems to be an issue with security when connecting live to ssas md cube from PBI desktop.


If you have set up security roles in ssas to prevent certain roles from seeing some measures, and then do the following steps, then the outcome is not as expected.


1. Connect to the cube live via PBI desktop fro a user with restricted access to som measures. Hidden measures don'r show up. OK!

2. Reconfigure the ssas security role of the member, to include one of the previously missing members.

3. Update data in PBI desktop. New measure appears. OK!

4. Reconfigure the the same role as in step 2, to not include this measure any more.

5. Update data in PBI desktop. The measure remains visible and is NOT removed! NOT OK!


I've tried clearing the cache from within PBI desktop but that doesn't help. I've also verfied by connecting to the cube via Excel under the credentials of the user, and the measure is not visible there any more. Neither is it visible if I browse the cube from management studio under the same user name. Only in PBI dekstop it remains visible!


Somehow revoking access to the measure doesn't affect PBI, which I'm pretty sure is not how it should be working. Live connection must check access rights "on the fly".


Have tried from different users but always get the same result. Have tried posting the forum but don't seem to get anly replies there. Might be a setting that I don't know about so would be good if anyone could have a look at it and verify if it really is a bug or not.

Status: Delivered



I find that there is an existing issue already reported internally: CRI 28158195

The response for it is that measure visibility is not reflected correctly in CSDL acquired from AS Engine. Does not repro in Import because PQ checks the mdschema instead of CSDL to determine what can be added to a query. The incorrect CSDL is an AS Engine bug and customer should submit a support ticket to SQL support directly. And AS Engine bugs typically take longer to get fixed because of their slower release cycle.


Best Regards,


Impactful Individual
Status changed to: Delivered
Not applicable



Thanks a lot for your input!


As a result we've registered a case with microsoft support like you recommended, so hopefully this will be resolved eventually.