Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Grow your Fabric skills and prepare for the DP-600 certification exam by completing the latest Microsoft Fabric challenge.

Reply
dancarr22
Helper V
Helper V

RLS using USERPRINCIPAL Name - for 50+ users - need to add them all individually?

‎02-22-2024 10:17 AM

Hello,

 

We are using RLS security by leveraging USERPRINCIPALNAME.  This works.  The only issue is there are many different users with different permissions.  Do we need to add everyone in PBI service to that secured role separately?  Online documentation states that groups do not work - and in our testing that seems to be the case.  Just hoping there is a workaround as the # of users could balloon to hundreds and a pain to have to add each of them individually to the role in PBI service.

 

Thanks,

Dan

Labels:
Message 1 of 7
187 Views
0
1 ACCEPTED SOLUTION
lbendlin
Super User
Super User
In response to dancarr22

‎02-23-2024 10:01 AM

In Dynamic RLS you usually have a single role. That role has ideally only distribution lists as members , usually PDLs  maintained by an external tool.

View solution in original post

Message 6 of 7
148 Views
0
6 REPLIES 6
dancarr22
Helper V
Helper V

‎02-23-2024 11:22 AM

Got it - thanks!  I was under the impression that we could not use groups when adding role users.  But, if we can do that - it makes sense.  Thanks - issue resolved.

Message 7 of 7
140 Views
0
lbendlin
Super User
Super User

‎02-22-2024 02:48 PM

If you use dynamic RLS then your data model needs to contain a mapping table between email addresses and capabilities/permissions. Ideally that table is maintained outside of Power BI.

Message 2 of 7
160 Views
0
dancarr22
Helper V
Helper V
In response to lbendlin

‎02-23-2024 09:20 AM

Thanks @lbendlin  - I do have dynamic RLS set up.  The issue is we still have to go into the service security and add ever user individually to that role.  And any time a new user is given access - which works behinds the scenes because it is managed in our SQL database - we still need to set that new person up in PBI Service role security.  Unless I'm missing something.  

Seems like it would be much easier if we could ust add the USERPRINCIPALNAME filter directly to the SQL WHERE clause in the connection string - but that doesn't seem to be possible in M.  Doing so would prevent the need of having to add every person to the secure role in PBI service.

Thanks,
Dan

Message 3 of 7
152 Views
0
lbendlin
Super User
Super User
In response to dancarr22

‎02-23-2024 09:31 AM 
The issue is we still have to go into the service security and add ever user individually to that role.

Not sure I understand that part. Usually all you need to do is refresh your semantic model to pull in the new user mapping information.

 

 

You can consider using Direct Query with SSO passthrough 

Message 4 of 7
151 Views
0
dancarr22
Helper V
Helper V
In response to lbendlin

‎02-23-2024 09:41 AM

Maybe I misunderstood how RLS works but I thought that everyone who needs to be secured - in addition to being in the database - and filtered via RLS - they also need to be added to the role in PBI service for the given semantic model's security here:

dancarr22_0-1708709894559.png

ie. this is not the last step:

dancarr22_1-1708710002371.png

...still need everyone to be added individually to PBI service role.  Not great as we have 50 or so users so far and there will be many more in the future.  And cannot assign a group to a role - and have it work.



Message 5 of 7
150 Views
0
lbendlin
Super User
Super User
In response to dancarr22

‎02-23-2024 10:01 AM

In Dynamic RLS you usually have a single role. That role has ideally only distribution lists as members , usually PDLs  maintained by an external tool.

Message 6 of 7
149 Views
0

Helpful resources

Announcements
Europe Fabric Conference

Europe’s largest Microsoft Fabric Community Conference

Join the community in Stockholm for expert Microsoft Fabric learning including a very exciting keynote from Arun Ulag, Corporate Vice President, Azure Data.

RTI Forums Carousel3

New forum boards available in Real-Time Intelligence.

Ask questions in Eventhouse and KQL, Eventstream, and Reflex.

View All
Top Solution Authors
View All