Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Compete to become Power BI Data Viz World Champion! First round ends August 18th. Get started.

Reply
Anonymous
Not applicable

Dynamic RLS and all access

‎03-17-2023 01:20 PM

Hi Community!

I'm new on this forum, prior i have found all my answers here but today i want to ask my first question. Please forgive me any newbie errors. 

I have created dynamic rls for my report and it is working for the users that are listed in the roles that are restricted (userprincipalname). Now my question is i have some users that should have access to 100% of the data. So in the rls roles currently i have only listed the people with restricted access, not the people with 100% access as those don't have a relationship to the data. So i figured if i just share the report with them they should have access however when they open the report it says "The report can't be viewed because the underlying dataset uses row-level security (RLS)". 

How can i share with someone to have access to all?

Or do i need to create a new role for those members?

Let me know if you need additional information in order to understand my request. 

Message 1 of 4
1,987 Views
0
1 ACCEPTED SOLUTION
MarkLaf
Super User
Super User

‎03-17-2023 03:45 PM

I think the short answer is, yes, you have to add a "No RLS" security group to put them in. Make sure that anyone you have in "No RLS" is not also in any other RLS group.

 

There is a longer answer if your scenario is:

  1. you are adding all users (via distribution list email, security group, etc.) to a single dynamic RLS group that leverages USERNAME/USERPRINCIPALNAME against a Users table
    AND
  2. your Users table only includes people with some kind of restriction, but people who are in the RLS group but not in the Users table should see all rows

In this case, you can create a measure that returns TRUE if the current user is NOT in the Users table, and then just add that to your RLS conditions with an OR.

Example:

Say you have a simple dynamic RLS model like so:

MarkLaf_2-1679092457570.png

With RLS set up like this:

MarkLaf_0-1679092371573.png

Then you can create the following measure:

Super User Check = 
CALCULATE(
    ISEMPTY( Users ),
    TREATAS( { USERPRINCIPALNAME() }, Users[User] ),
    REMOVEFILTERS( Users )
)

And update your RLS accordingly:

MarkLaf_3-1679092779579.png

Remember, everyone still needs to be added to Dyn RLS in your dataset security settings on the service.

View solution in original post

Message 3 of 4
1,926 Views
3 REPLIES 3
MarkLaf
Super User
Super User

‎03-17-2023 03:45 PM

I think the short answer is, yes, you have to add a "No RLS" security group to put them in. Make sure that anyone you have in "No RLS" is not also in any other RLS group.

 

There is a longer answer if your scenario is:

  1. you are adding all users (via distribution list email, security group, etc.) to a single dynamic RLS group that leverages USERNAME/USERPRINCIPALNAME against a Users table
    AND
  2. your Users table only includes people with some kind of restriction, but people who are in the RLS group but not in the Users table should see all rows

In this case, you can create a measure that returns TRUE if the current user is NOT in the Users table, and then just add that to your RLS conditions with an OR.

Example:

Say you have a simple dynamic RLS model like so:

MarkLaf_2-1679092457570.png

With RLS set up like this:

MarkLaf_0-1679092371573.png

Then you can create the following measure:

Super User Check = 
CALCULATE(
    ISEMPTY( Users ),
    TREATAS( { USERPRINCIPALNAME() }, Users[User] ),
    REMOVEFILTERS( Users )
)

And update your RLS accordingly:

MarkLaf_3-1679092779579.png

Remember, everyone still needs to be added to Dyn RLS in your dataset security settings on the service.

Message 3 of 4
1,927 Views
Anonymous
Not applicable
In response to MarkLaf

‎03-17-2023 04:06 PM

Thank you! 

The simple answer worked for me! I added a group called "All access" that doesn't have a relationship. Users i put in there showed all data. 

Appreciate the help!

Message 4 of 4
1,917 Views
0
andhiii079845
Solution Sage
Solution Sage

‎03-17-2023 01:41 PM

I realize it in one report that I use only the userprincipalname to indentifty the person and than create a own role-access table in the report itself. Example:
If you have 3 departments X,Y,Z , I but the filter criteria (X,Y,Z) in this table.

 

USERFilterDepartment
1X
2X
2Z
3Y

 

I use this table as a lookup table in my dax expression to filter the different other tables in the report.

 





Did I answer your question? Mark my post as a solution!

Proud to be a Super User!




Message 2 of 4
1,975 Views
0

Helpful resources

Announcements
July PBI25 Carousel

Power BI Monthly Update - July 2025

Check out the July 2025 Power BI update to learn about new features.

August 2025 community update carousel

Fabric Community Update - August 2025

Find out what's new and trending in the Fabric community.

View All