Hello @collinq we are not managing any RLS in the data model itself. We want to utilize existing BW security schemas via credentials. This works as expected when connecting to the query via the PBI desktop. Once the user utilizes the Power BI data set it doesn't promt for their credentials.

Thanks

Jon

Ok @jpt1228 , it sounds like you do NOT want them to have the datasets - when you shared the report with them did you UNcheck the "Allow receipients to build new content using the underlying datasets".  Perhaps you need to undo that and then they won't be able to get to that part.

I would appreciate Kudos if my response was helpful. I would also appreciate it if you would Mark this As a Solution if it solved the problem. Thanks!

Hi @collinq I want them to have access to the data sets - I just do not want them to have access to ALL the data. Filtered to sales region. If they connect deesktop to the data they have to put their credentials in and security works as expected.

We are sharing a data model with them and it is using the gateway user authorizations.

HI @jpt1228 ,

I just found this as well:

Limitations

The current limitations for row-level security on cloud models are as follows:

• If you previously defined roles and rules in the Power BI service, you must re-create them in Power BI Desktop.

• You can define RLS only on the datasets created with Power BI Desktop. If you want to enable RLS for datasets created with Excel, you must convert your files into Power BI Desktop (PBIX) files first. Learn more.

• Only Import and DirectQuery connections are supported. Live connections to Analysis Services are handled in the on-premises model.

Do any of these apply?

I would appreciate Kudos if my response was helpful. I would also appreciate it if you would Mark this As a Solution if it solved the problem. Thanks!

Hi again @jpt1228 ,

RLS on dataasets does not work on "live connection" datasets.  Are you using Live Connection?

I would appreciate Kudos if my response was helpful. I would also appreciate it if you would Mark this As a Solution if it solved the problem. Thanks!

@collinq We are using a direct query connention. It works when connecting directly to the BW via desktop with BW credentials. I have been looking at kerberos SSO thinking that might pass their credentials through the data model to the BW. We do not want to manage security in a secondary location/application.

Hmmmmmmm......

If it works as expected for individuals on the desktop (where we know they are using their userid) and NOT in the Service then my thought is that the browser is not requiring/recognizing their logins and/or it is just using a default higher permission login.  Do you think that might be possible?  THinking out loud....

I would appreciate Kudos if my response was helpful. I would also appreciate it if you would Mark this As a Solution if it solved the problem. Thanks!

I suspect when I create the data model, publish to the service and connect the enterprise gateway it is using my credentials stores for all subsequent users to connect to that data model. I am missing a method to authorize users by BW security. Kerberos says it will pass the user credentials through to the underlying data sets. I do not have that configured. We want to share federated approved data sets and not allow users to create their own metrics and dimensions to maintain one version of the truth.

Hi @jpt1228 ,

I think that must be it - that the users are able to hijack the other permissions.  That is my theory anyway and why I was asking about service credentials.  Setting it up in Kerberos might be the way to go - and Kerberos security is always so easy to set up! 

😀

I would appreciate Kudos if my response was helpful. I would also appreciate it if you would Mark this As a Solution if it solved the problem. Thanks!

The gateway is a service level account. But using my credentials to publish the DM for other users to build off of.