Solved: Dynamic RLS with USERPrincipalName

Anonymous · ‎12-03-2018

Dears,

I am using a basic dax expression "[Short UserId] = USERNAME()" and USERPRINCIPALNAME().

This is the table I am using:

The relationship we have:

When publishing the report on the Power BI Service the report is not reflecting the RLS. It is not filtering this simple example.

Could you help me to understand what am I doing wrong or how can I fix this incident?

Thanks in advance,

Kind regards,

henriquesilveir · ‎12-03-2018

@Anonymous the print screen is from the PBI Service?

could you post the other?

i asked you to post print of PBI service , and PBI Desktop.

Create a report page for each print... one inside the powerbi.com other into your envoirment PBI Desktop.

example: sometimes, inside your PBI desktop, the username could return mydomain\henrique.silveira inside the PBI Service henrique.silveira@mydomain.com

because this i want these 2 prints... if it till correcly you need make some changes to it works fine...

PS: When you have a edit permission into workspace, RLS doesn't apply for edit members...

take a look: https://docs.microsoft.com/en-us/power-bi/service-admin-rls

Using RLS with app workspaces in Power BI

If you publish your Power BI Desktop report to an app workspace within the Power BI service, the roles will be applied to read-only members. You will need to indicate that members can only view Power BI content within the app workspace settings.

Another question, have you Applied security filter in both directions?

View solution in original post

Anonymous · ‎12-03-2018

@henriquesilveir Thanks,

There it was. Test members had edit permissions within the Workspace.

The rest points were already verified and checked and everything seemed to be ok.

Working properly now after giving read-only membership.

Thanks for your quick responses.

Kind regards,

View solution in original post

henriquesilveir · ‎12-03-2018

@Anonymous hello, i always use RLS, but for this case in specific i hope that you need create the security group.

Take a look in this article it will help you!

https://www.fourmoo.com/2018/02/20/dynamic-row-level-security-is-easy-with-active-directory-security-groups/

PS: Is not necessary to create security group into 365. i do it using only the on premises security group into ad.

Anonymous · ‎12-03-2018

Thanks for your answer.

Anyhow, I don't think that creating a group would solve the issue as I have already included those users (single users) in the Role in Power BI Service.

The thing is that I feel the RLS expression is not being recognised in the Power BI Service. When i do try the role in the desktop it works properly.

Anonymous · ‎12-03-2018

@henriquesilveir

henriquesilveir · ‎12-03-2018

@Anonymous OK. TIP for you. into your report in PBI service, use the dax which was created, and see what is returning to username and principalusername , perhaps, when you publish into service it could returning a different user for PBI Desktop and service!

Please, print the 2 cases here. the data of username and userprincipalname in PBI Service and Desktop

Waiting on you!

alexlibby · ‎07-26-2021

Hi there- i have been following this thread as I am having the same issue. It works perfectly in the desktop then stops respecting the RLS when published. How do I find out what name the PBI service is using? How do I use the dax in the power bi service?

Anonymous · ‎12-03-2018

@henriquesilveir , Yes, that's something i made already and it was providing the right expression

henriquesilveir · ‎12-03-2018