I have a weird issue with the Row Level Security in Power BI - for some users the RLS is working while for other it isn't.
Here is my situation:
I have a workspace in Power BI Service. All users are defined as "Viewers", including the user A and user C:
I have a Power BI dataset & report with 2 RLS roles:
"Alles": a role with no filters
"MA-Aus": a role with a filter that filters out the entire table "MA Auslastung":
I deployed the dataset & report to Power BI service and map the users to the RLS roles. I add user A and user C into the "MA-Aus" role. This means they shouldn't see any data from the "MA Auslastung" table:
I go to "Test as Role" to check if everything is working as expected:
I test the "MA-Aus" role. No value is shown in the "MA Sollzeit". This is correct - the table is filtered out, so the measure is blank.
I test the user A. No value is shown in the "MA Sollzeit". This is correct - the table is filtered out, so the measure is blank.
- I test the user C. "MA Sollzeit" returns value. The filter is not applied, RLS is not working.
What is happening here? Both users are configured correctly (viewers in the workspace, added to the role). For user A the RLS is working while for user C the filter from the role is not applied.
Related
I created a role in Power BI desktop - filters the data using UserPrincipalName().
I go to Security in the Power BI Service and add a member to the role. Everything works great!
Now, I need to add another 799 members to this role. Isn't there an easier way? How do I make this work so that for any user that runs the report, the filter kicks in and the user sees all data related to them, without explicitly adding them to the role I defined?
Here's what I ended up doing:
User = CONCATENATEX(Responses, IF(Responses[Feedback For] = USERPRINCIPALNAME(), "This User", "Other User"))
I created a measure called User and added this measure as a filter - locked it and made it invisible.
I have put in RLS rules on SSMS - they are restricted by Azure AD security groups created for this purpose. The Azure AD security groups have been added as user to the Azure SQL database through CREATE USER [Sec Group Name] FROM EXTERNAL PROVIDER. They work fine as the testing in SSMS shows logging in as different users into SSMS and using SELECT * FROM [RLS Tbl Name] is working as expected.
When I connect this Azure SQL DB to Power BI there are no rows coming through in the PBIX file (there should be some rows but not all in line with the RLS in place). Obviously, any report created from a blank table returns only blank visuals. Further, when I try to "View As" in Power BI, there are no rows (a table with no rows is all I can see). Further, when I publish the report to the service and log in as different users, it still shows blank rows in the report. Please note that the logged in user for the PBIX file is a "permitted" user under the RLS mandate
In desperation, I opened a new Excel workbook (logged in as the same "permitted" user) and connect it to the database, there are no rows that come through.
As a final check, I made a quick Power Apps app and I connected the above Azure SQL Database and published it to powerapps.com and note that the correct number of rows come through depending upon which user has logged in.
In summary,
The RLS is working fine in SSMS (as logging in through different users outputs filtered rows in line with the RLS specified)
The RLS is NOT working in Power BI (either in the PBIX or the service)
The RLS is NOT working in Excel as connecting the same to the Azure SQL database is outputting blank rows. In connecting the Azure SQL DB the conventional route of Get Data > Azure > Azure SQL Database been used (and NOT Analyse in Excel
The RLS is working in Power Apps as it is correctly outputting the filtered number of rows depending upon the logged in user and his priveleges
I am at a loss to understand the different outcomes on Power BI, Power Apps and Excel.
The following points may be of use to further understand the problem
In stating all of the above, I am using the same user when I compare Power BI behaviour, Power Apps behaviour, SSMS behaviour and Excel behaviour
Different users have different entitlements/privileges. Care has however been taken that when a different user is selected for anything mentioned in point 1, the other platforms also have the exact same user logged in - so that the comparison is not apples to oranges
In stating the full mail above, at no point has a user who doesnt have permission been referred to (as this would explain the blank rows)
Am I missing something entirely as I did not expect to encounter a different behaviour across different platforms (SSMS, Power BI Desktop, Power BI Service, Power Apps and Excel)
Edit - 13 Oct 22
To be precise - there are 3 AD security groups and any row in the SQL table "belongs" to only 1 AD sec group out of the 3. The RLS dictates that a user logging in will be able to see only the rows created by the security group to which he belongs to. Therefore, if A logs in - he will be able to see only the rows for X security group (since he is a part of that security group). When you log into SSMS as different users, it is correctly filtering the rows of the SQL table in line with the RLS rules. Further, when you connect the SQL table to Power Apps, it correctly takes only the filtered SQL table.
However, connecting the same SQL table to Power BI and Excel results in a blank table on both these platforms.
I have the next model in SSAS cube:
(Clients connect to the fact table too)
As seen, a filter in User Access will propagate all the way to the fact…
If I have a dynamic role security with some filter on DAX in User access, will it be applied even if I don’t put/select User access table in the frontend in Power BI??
Per my test, the filter gets applied only if I use a filter from that table, if I don’t use that table the dynamic security does not get applied, why is this??
You should be using the role to filter your security table.
This filters the [_login_id] column of the security table for the user.
With this filter propagating to related tables, the user cannot see any rows hidden by the RLS filter.
There are two important exceptions to this rule though. SSAS admins can see all data regardless of any filters, and in Power BI, if you are an admin, member, or contributor in the workspace, you have access to all the data and RLS does not apply to you. For testing, use the "Test as role" function from the RLS settings in the Power BI Service.
I have a Powerbi report which has RLS Implement through a dimension table
I have created Roles with individual email ID and user principal name and this seems to be working perfectly well .
however when I want to add close to 600 users, I have created a Distribution list And when I put the DL in the role it does not seem to work.
All the users have premium subscription.
Any pointers here will be much appreciated
We currently host data for multiple users in our database. I'd like to implement embedded power BI into our web app. When the user logs into our system, I'd like the data source to be filtered according to the user that is logged in, so e.g. SELECT * FROM Table1 WHERE ItemID in (ItemID1, ItemID2) etc..., we aren't going to know what ItemID1, ItemID2 etc... are until after the user has logged on.
Is this possible with PowerBI embedded?
To filter data for Power BI users based on which user is logging in to the embedded web app, complete the following:
Sample:
Create a table to store the usernames for each filter "group."
You will use DAX to create a measure to identify the users from your table, and assign them to a specific user role group. Below is the DAX to use:
[USERNAME] = [Current User]
Create the measure described in point #2 in the Row-Level security settings. By creating different "groups" for the users, you are essentially dynamically-building a "filter," where you only show the users what they should be seeing--thus resulting in pseudo-filtering. For more information see the following:
https://learn.microsoft.com/en-us/power-bi/desktop-tutorial-row-level-security-onprem-ssas-tabular
http://community.powerbi.com/t5/Service/Restricting-filters-to-specific-users-in-Power-BI-report/td-p/109111
Hope this helps!