Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Register now to learn Fabric in free live sessions led by the best Microsoft experts. From Apr 16 to May 9, in English and Spanish.

Reply
Axiomite
Resolver II
Resolver II

RLS not working for user a certian user in group if access is set to viewer

‎05-09-2022 08:35 AM

Hi there,
I have a challenge with a single user in the Power BI Service.
The user has been added to a AD group called "all regions". This group is specified in a RLS table and when published the group is also added to RLS on the Power BI service. 

This works for all the users I've added in the past. However, since the end of last week one of the users is not seeing any data in the visuals, almost as if he whould have no regions assigned to in the Desktop RLS table.
All the other users are setup as Viewer in the workspace access group. However, with this specific user it only works if I make the user a contributor.

I have even tried adding this user "manually" by adding every region and email of the user iow, so it would work if the user is not in the group. This also doesnt seem to solve the problem. It is odd, I have x checked with other users. 

Also made contact with our infrastructure team to see if it could have anything to do with licencense etc. 

 

Any one out there with similar experience? 

 

Kind Regards,

Niel 

Labels:
Message 1 of 9
462 Views
0
1 ACCEPTED SOLUTION
Tutu_in_YYC
Resident Rockstar
Resident Rockstar
In response to Axiomite

‎05-16-2022 07:24 AM

USERPRINCIPALNAME() will always return the email of the person signed in, not the security group. I'd try setting up the RLS table using their email instead of the security groups ( but you can still assign the RLS role in the power bi service using security group)

 

My guess is for the other users where RLS works, they have other RLS role that superceed the security group based rls role. Without seeing more of the data it is hard to validate the issue.

But if you are 100% sure you have set it up correctly, then it could maybe be a bug and you can submit a support ticket to microsoft in the power platform admin page. 

View solution in original post

Message 8 of 9
340 Views
0
8 REPLIES 8
Axiomite
Resolver II
Resolver II

‎05-10-2022 10:54 PM

@Tutu_in_YYC 

Thanks for your assistance. 
RLS Dax: [UserPrincipalName] = UserPrincipalName()

Where [UserPrincipalName] is the users email address

Relationship between RLS table and the dimTable as follows:

Example of what the relationship data looks like is somethinge like "CAPE" on the RLS side and "CAPE" on the dimBranchHierarchy side.  

 

Axiomite_0-1652248346371.png

 

Let me know if you require any additional information. 

 

Thanks again!

Message 5 of 9
391 Views
0
Tutu_in_YYC
Resident Rockstar
Resident Rockstar
In response to Axiomite

‎05-12-2022 09:21 AM

Tutu_in_YYC_0-1652369883184.png

 

For the All Region Group, are you using the email of the security group?I If yes, that may not work, as USERPRINCIPALNAME() will return the user's email instead of the security group email. Is that the case?

Message 6 of 9
371 Views
0
Axiomite
Resolver II
Resolver II
In response to Tutu_in_YYC

‎05-15-2022 10:54 PM

Hi, 
This is how my security group is setup.

Axiomite_0-1652680390291.png

Its a group created in the AD. It works for all the other users except this specific user. That is the mystery, why is it working for all other user except for this user? Does it make sense to you? 



Message 7 of 9
346 Views
0
Tutu_in_YYC
Resident Rockstar
Resident Rockstar
In response to Axiomite

‎05-16-2022 07:24 AM

USERPRINCIPALNAME() will always return the email of the person signed in, not the security group. I'd try setting up the RLS table using their email instead of the security groups ( but you can still assign the RLS role in the power bi service using security group)

 

My guess is for the other users where RLS works, they have other RLS role that superceed the security group based rls role. Without seeing more of the data it is hard to validate the issue.

But if you are 100% sure you have set it up correctly, then it could maybe be a bug and you can submit a support ticket to microsoft in the power platform admin page. 

Message 8 of 9
341 Views
0
Axiomite
Resolver II
Resolver II
In response to Tutu_in_YYC

‎05-25-2022 05:08 AM

@Tutu Many thanks for you time and advice. I followed advice, removed the security group now only using my RLS table using emails. Its a manual process but will persue my investigation as soons as I have spare capacity. 

Message 9 of 9
307 Views
0
Tutu_in_YYC
Resident Rockstar
Resident Rockstar

‎05-09-2022 01:52 PM

Hi Niel,

If your user see this error:

Tutu_in_YYC_0-1652129391632.png

Then RLS is preventing him from viewing the report.

If he doesnt see that, it means that RLS is allowing him to access the data. If he sees no data in the visuals, I'd check if there is a relationship issue in the data model, i.e white space exist in his name or the keys or the columns in the table that are being used for the relationship

Message 2 of 9
426 Views
0
Axiomite
Resolver II
Resolver II
In response to Tutu_in_YYC

‎05-10-2022 06:55 AM

@Tutu_in_YYC 

Thanks, correct, RLS is allowing the user to access the data and there is no data in die visuals. I've check all relationships, white spaces as mentioned but the user is setup exactly as the below:

Axiomite_0-1652190783705.png

Thus for user D and user F they are able to see the data, however, with user G (the problem user), this user G is not seeing the data in the visuals. I have verified licenses, to see if there are any funnies in the AD. However user G with nothing different that user D and user F. 

 

Hope the above is a bit more explantory than my initial post.

 

Kind regards

Message 3 of 9
411 Views
0
Tutu_in_YYC
Resident Rockstar
Resident Rockstar
In response to Axiomite

‎05-10-2022 07:28 AM

Can you also provide the RLS DAX syntax for the roles that you have set up? I will try to replicate this.

My guess you have something like this:
'RLS'[UserPrinciple] = USERPRINCIPALNAME()


Message 4 of 9
410 Views
0

Helpful resources

Announcements
Microsoft Fabric Learn Together

Microsoft Fabric Learn Together

Covering the world! 9:00-10:30 AM Sydney, 4:00-5:30 PM CET (Paris/Berlin), 7:00-8:30 PM Mexico City

PBI_APRIL_CAROUSEL1

Power BI Monthly Update - April 2024

Check out the April 2024 Power BI update to learn about new features.

April Fabric Community Update

Fabric Community Update - April 2024

Find out what's new and trending in the Fabric Community.

View All
Top Solution Authors
View All
Top Kudoed Authors
View All