Solved: RLS user with two roles generating error when acce...

aseagull · ‎07-02-2022

Hi! I tried to make this subject as detailed as I could...More specifically, I have two groups of users managed via email dist lists, A and B. Everyone in A is also in B. (This is how the lists are set up; outside my control.) A users have unrestricted access to certain reports that B users have role-restricted access to. Those reports are located in a workspace that B users have View permission on. They have been set up with two roles: an Admin role (with no filters in the pbix file) with A users added in the service. And another role, with the appropriate restriction in the pbix file, with B users added in the service.

When A accesses the report via the app in B's workspace, A gets an error (neither no data, nor all data...just errors). When A accesses the report via a direct link (or just browsing in the service), it loads fine. To recap: A has View access to the report in question because A is a subset of B, and B users are Viewers on the workspace. A users, via RLS, have a role that shows all. And this works fine unless they reach the report through B's app.

I've replicated this with another user. But it's quite difficult to test as I do not have a test account. From what I understand from IT, our Microsoft license will not allow test accounts on O365. Is this possible? Or is it just IT's way of telling me we shouldn't waste money on a test account?

I'll appreciate any pointers. Thank you!

Amon

otravers · ‎07-07-2022

I haven't used apps in a while but if memory serves, you need to publish changes made to its component artifacts (e.g. report, dashboard) after its creation. Can you check that the app has the latest version of the dataset with RLS rules built in? Maybe it needs to be republished if it was created before RLS were part of the underlying PBIX.

------------------------------------------------
1. How to get your question answered quickly - good questions get good answers!
2. Learning how to fish > being spoon-fed without active thinking.
3. Please accept as a solution posts that resolve your questions.
------------------------------------------------
BI Blog: Datamarts | RLS/OLS | Dev Tools | Languages | Aggregations | XMLA/APIs | Field Parameters | Custom Visuals

View solution in original post

GilbertQ · ‎07-03-2022

Hi @aseagull

First off you certainly can get any account you want, Microsoft does not place any limits on account creation.

Second I would suggest working through it with a test account.

And also even though currently you have to work through List A and List B this will be quite hard to control and manage in Power BI with RLS due to the overlap of the groups.

What I can say about RLS is that the reason it is working is because RLS uses lowest priviledge, which means that it will use the combintion of roles for the users that are in List A and B.

Did I answer your question? Mark my post as a solution!

Proud to be a Super User!

Power BI Blog

aseagull · ‎07-04-2022

Hi @gil and thank you for your feedback. I will check again with IT. It also occurs to me that maybe I can use that test account that MS offers, though I don't know if it includes the ability to create email distribution lists on an Exchange server.

The weird thing here is that everything works fine if the user reaches the report through his home page in the service (e.g., via "shared with me"), but when he goes through the app for the workspace, he gets errors. Honestly, it feels like a bug...unless MS makes no promises as to the behavior when a user participates in multiple roles.

I will check again into creating a test account. If it simply verifies what I've already seen with two users, is this simply a bug with apps? I asked a simpler version of this question on the GIAC livestream on Saturday 7/2, and they confirmed that it's possible to have a user belong to multiple roles.

aseagull · ‎07-07-2022

@GilbertQ (sorry I mistagged the wrong Gil above), FYI I created a parallel environment in a Microsoft developer's account evironment, and could not replicate the error. IT has agreed to temporary create an account on our production system so I can troubleshoot the problem where it sits...to be continued.

I anticipate I may look foolish when this is over.

GilbertQ · ‎07-07-2022

Hi @aseagull

Never foolish, it is a learning experience for all.

Did I answer your question? Mark my post as a solution!

Proud to be a Super User!

Power BI Blog

otravers · ‎07-07-2022

I haven't used apps in a while but if memory serves, you need to publish changes made to its component artifacts (e.g. report, dashboard) after its creation. Can you check that the app has the latest version of the dataset with RLS rules built in? Maybe it needs to be republished if it was created before RLS were part of the underlying PBIX.

------------------------------------------------
1. How to get your question answered quickly - good questions get good answers!
2. Learning how to fish > being spoon-fed without active thinking.
3. Please accept as a solution posts that resolve your questions.
------------------------------------------------
BI Blog: Datamarts | RLS/OLS | Dev Tools | Languages | Aggregations | XMLA/APIs | Field Parameters | Custom Visuals

aseagull · ‎07-19-2022

Yes, this was it! Sorry for the delay; I didn't get a test account, appropriately privileged, until yesterday.

Biggest lesson here, which I should have figured out on my own: If a report is working with direct access, and not through an app, first tip is to republish the app!!

RLS user with two roles generating error when accessing via workspace app, not via direct link

Helpful resources

Microsoft Fabric Learn Together

Power BI Monthly Update - April 2024

Fabric Community Update - April 2024