Skip to main content
cancel
Showing results for 
Search instead for 
Did you mean: 

Earn the coveted Fabric Analytics Engineer certification. 100% off your exam for a limited time only!

Reply
Ole111
Helper II
Helper II

Composite Model - Access Restrictions Problem

Hello Community,

 

I need a help in solving the following issue.

 

There is a report with company's financial results, with restricted access to the data through RLS settings in the model.
Report is published to a workspace common for all employees (the roles and RLS limit the access for each user).

 

There was a need to create a separate report with a brief summary of key data for a whole company from above report with financial results. I created a summary report based on the dataset of above report plus added a new table of captions specific to the new report (composite model).
This new report was published to a new workspace shared with a group of users - they have different level of access to the source report of company's results (some can see only a part of data, some all of it).
All members of this group should see the same key numbers for a whole company, so there is no RLS applied in a new brief report.

As a result, after publishing of the report, only those of the users who have unlimited access to the source report can see the new brief report. The others can not see anything - just greyed-out fields; even year and month slicers.

 

When trying to test the security level in the new report I got a message:
"Any previously defined RLS security is no longer working. You will need to re-create RLS in Power BI Desktop."

 

That suggests that RLS shouldn't be inherited from a source report, so the access shouldn't be restricted.
Even if he source RLS interferes with the new report I can not manipulate with this from the new report since in Manage Roles I have only one table available (the new one with report captions).

 

Is there any way to make a brief report available without access limits from source report while using the source report model as a data source?

Replicating the same model in the new report would be a chore.

 

Thanks in advance for any help and regards.

12 REPLIES 12
v-rzhou-msft
Community Support
Community Support

Hi @Ole111 

I think you may use Dierect Query for Power BI dataset function, then upload a loacl table. Then your connection mode will transfor to Mixed mode.

For reference: considerations-and-limitations

  • RLS rules will be applied on the source on which they are defined, but will not be applied to any other datasets in the model. RLS defined in the report will not be applied to remote sources, and RLS set on remote sources will not be applied to other data sources.

If you load your dataset into model, the rls won't work any more. You will need to set an other RLS for your new report. 

Could you tell me what is the kind of your data source?

Please download the latest version of desktop and try again.

And please check the connection mode of your report and try to republish your report.

 

Best Regards,

Rico Zhou

 

If this post helps, then please consider Accept it as the solution to help the other members find it more quickly. 

Hi @v-rzhou-msft

 

Thanks for the response.

 

The model had been created exactly as you wrote:

  1. Connected to Power BI Dataset (Direct Query)
  2. Added a table through inserting data (the mode had changed to Mixed)

As for desktop version it is the latest one.

Reading the documentation you refer to I wander how the RLS inheritance really behaves?:

“RLS rules will be applied on the source on which they are defined, but will not be applied to any other datasets in the model.”

 Ho does it relate to information got when trying to test security status:

“Any previously defined RLS security is no longer working. You will need to re-create RLS in Power BI Desktop.”

Does ‘not working’ refer only to the new tables in composite model? If so, is there any way to give an access to the summary report based on source report for users who have RLS restrictions set in the source report?  

I have the same issue.

This seems like the key question:
"Does ‘not working’ refer only to the new tables in composite model?"

If the existing RLS is transferred, then it is a bit weird that there is no information about it here. But I hope it is. Did you get to test this on your data?

@joarobert 

Indeed there is no information about any inherited RLS roles. The manage roles pane is blank:

Zrzut ekranu 2021-11-10 135831.png

You can only create the new roles, and only for a newly added tables (not from source model):

Zrzut ekranu 2021-11-10 135859.png

In the service, when getting into security option, there is such an information:

Zrzut ekranu 2021-11-10 135931.png

All in all, quite confusing.

 

Regards,

Dariusz

 

Hi Dariusz

Actually in our case, we have just finished a test of whether the RLS from the original is transferred despite the above message. And our test showed that it was. 

So I believe the above message is just the one you get before you add any RLS. And we get it, because we have not added RLS in the tables that was added to the original dataset to create the composite model (we do not need RLS on those). But the message does not mean that the RLS from the original (main) dataset does not work for the composite model. It does.

They could give some more information, but in conclusion, it does actually work. So the answer to "Does ‘not working’ refer only to the new tables in [the] composite model?" is actually "Yes".

@joarobert 

That was also my conclusion based on the behavior of composite model I’ve got.

 

Regards,

Dariusz

 

Great. So the problem seems to be solved 🙂

Now our problem is just that if you make a composite model and the later update the main DirectQuery-connected dataset with e.g. new dimension, measures, etc., then those changes to the dataset is not transferred automatically to the composite model; and it seems there is no way to include them other than create the composite model from scratch again. I should ask this in a new thread, but if you have some experience about this, let me know. 🙂

To be honest I gave up any further experimenting with composite model after facing problems with inherited RLS settings. As I wrote before, I just ended up with building a twin model from the scratch - without RLS.

 

Regards,

Dariusz

Hi @Ole111 

The RLS 's workload is as below.

1. Manage role in Power BI Desktop.

2. Publish report and add users into Role in Security from Dataset.

I try to load a dataset with RLS into model by Direct Query for Power BI Dataset. There is no roles I set for the dataset in Manage role.

1.png

So, if we use this function, we need to create RLS again in Power BI Desktop.

 

Best Regards,

Rico Zhou

 

If this post helps, then please consider Accept it as the solution to help the other members find it more quickly. 

Hi @v-rzhou-msft 

 

I have an impression that my point maybe unclear.

 

The RLS is set in source detailed report and I do not want to set any RLS in a new summary report.

 

The situation I face is following. Financial Report shows full P&L. Most of people have an access to data down to Gross Margin level (no access to overhead cost data). The new Summary Report should show to everybody summary of Revenue, Gros Margin and Operational Result (after overhead deduction) – thus no need for any RLS.

But if I use a Direct Query to  Financial Report dataset to get key captions from P&L (with no details) as a result only people with no RLS restriction in Financial Report can see the Summary Report. Everybody included in RLS scheme in Financial Report can see only greyed-out placeholders of visuals (including year and month slicers) in the Summary Report.

So my understanding is that RLS restriction from the source report is inherited by  the new report and people who cannot see the Operational Result in source file are not allowed to see anything in the Summary Report because it includes the Operational Result line.

 

Then my point is to find a way to show to everybody just a few key numbers from P&L using the model created for Financial Report where majority of the users can see only the part of the P&L.

 

Kind regards

Hey, did you ever find a solution? Facing exactly the same issue!

No.

Finally I ended up with creating the same model from scratch (all queries and calculated tables/columns as original one) and made a report showing just key data.

Then I published it to everybody with viewer rights.

That means that I have to maintain two models in parallel. Pity.

Helpful resources

Announcements
April AMA free

Microsoft Fabric AMA Livestream

Join us Tuesday, April 09, 9:00 – 10:00 AM PST for a live, expert-led Q&A session on all things Microsoft Fabric!

March Fabric Community Update

Fabric Community Update - March 2024

Find out what's new and trending in the Fabric Community.

Top Solution Authors
Top Kudoed Authors