Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Get inspired! Check out the entries from the Power BI DataViz World Championships preliminary rounds and give kudos to your favorites. View the vizzies.

Reply
Anonymous
Not applicable

RLS issue when a user belongs to multiple AAD groups

‎02-19-2020 05:46 AM

Hi all!

 

I am having some issues with my role-leve-security setup. 

My organization uses Azure Active Directory groups, which usually works fine. However, when a person belongs to multiple groups it soemtimes causes issues in Power BI.

 

For simplicity, let's say that my company has 2 employees. 

Brian is a consultant and belongs in the AAD group staff.all

Tina is a supervisor, so she belongs to the AAD groups staff.all and staff.supervisors

In Power BI, I have set up two roles: Staff and Supervisors

 

Brian should only see data belonging to him, so I have set a rule to the (Employees) table in the 'Staff role':

[email] = USERPRINCIPALNAME()

This works great, and Brian can only see himself on the project 'Cloud Migration'. 

 

Tina is a supervisor in Finland, so she should see all projects in Finland.  I have set a rule on the (Projects) table in the 'Supervisors role':

[Country] = "Finland"

This is where things go wrong. Tina still only sees the project she works for. If I remove Tina from staff.all, the issue goes away (but this is not an option). I have also tried adding '1 = 1' or 'TRUE()' to the Employees table for the 'Supervisors role'. Neither help.  

 

rls.png

 

Has anyone experienced a similar issue and know of a way to solve this?

Labels:
Message 1 of 7
1,687 Views
0
6 REPLIES 6
parry2k
Super User
Super User

‎02-19-2020 09:12 PM

@Anonymous based on your example, Tina would see only project 8 as that is the only one belongs to Finland, if you have more than two projects in Finland. Whcih roles you are enabling when you are testing RLS? 



Subscribe to the @PowerBIHowTo YT channel for an upcoming video on List and Record functions in Power Query!!

Learn Power BI and Fabric - subscribe to our YT channel - Click here: @PowerBIHowTo

If my solution proved useful, I'd be delighted to receive Kudos. When you put effort into asking a question, it's equally thoughtful to acknowledge and give Kudos to the individual who helped you solve the problem. It's a small gesture that shows appreciation and encouragement! ❤


Did I answer your question? Mark my post as a solution. Proud to be a Super User! Appreciate your Kudos 🙂
Feel free to email me with any of your BI needs.

Message 2 of 7
1,655 Views
0
Anonymous
Not applicable
In response to parry2k

‎02-20-2020 12:18 AM

Project 10 also belongs to Finland. No employees are assigned to it, but I still want Tina to see it. 

 

Shouldn't Power BI choose the least restrictive role or the role that returns the most data? 

Message 3 of 7
1,650 Views
0
parry2k
Super User
Super User
In response to Anonymous

‎02-20-2020 04:05 AM

@Anonymous no, you have to tell which role to use, if you are using both the roles for Tina, you will not see project 10. There is no concept of least role or role that returns most of the data.



Subscribe to the @PowerBIHowTo YT channel for an upcoming video on List and Record functions in Power Query!!

Learn Power BI and Fabric - subscribe to our YT channel - Click here: @PowerBIHowTo

If my solution proved useful, I'd be delighted to receive Kudos. When you put effort into asking a question, it's equally thoughtful to acknowledge and give Kudos to the individual who helped you solve the problem. It's a small gesture that shows appreciation and encouragement! ❤


Did I answer your question? Mark my post as a solution. Proud to be a Super User! Appreciate your Kudos 🙂
Feel free to email me with any of your BI needs.

Message 4 of 7
1,643 Views
0
Anonymous
Not applicable
In response to parry2k

‎02-20-2020 04:18 AM

I think when you say "you have to tell which role to use", you are refering to the desktop feature "View as role", correct? But what about when the user actually logs in using his/her USERPRINCIPALNAME() and belongs to two different AD groups which have two different role-settings in PBI? 

Message 5 of 7
1,640 Views
0
parry2k
Super User
Super User
In response to Anonymous

‎02-20-2020 04:24 AM

@Anonymous IN power bi service, you will add user to respective role, here is how to do this



Subscribe to the @PowerBIHowTo YT channel for an upcoming video on List and Record functions in Power Query!!

Learn Power BI and Fabric - subscribe to our YT channel - Click here: @PowerBIHowTo

If my solution proved useful, I'd be delighted to receive Kudos. When you put effort into asking a question, it's equally thoughtful to acknowledge and give Kudos to the individual who helped you solve the problem. It's a small gesture that shows appreciation and encouragement! ❤


Did I answer your question? Mark my post as a solution. Proud to be a Super User! Appreciate your Kudos 🙂
Feel free to email me with any of your BI needs.

Message 6 of 7
1,637 Views
0
Anonymous
Not applicable
In response to parry2k

‎02-20-2020 04:29 AM

Yes, of course this is done.

Here you see Tina's AAD roles. 

All users - staff.<country>.distribution on the picture, is the staff.all group I described in this post. They only see their own data using email = USERPRINCIPALNAME()

 

But when she belongs to two groups, it puts limitations on the data she sees. 

 

rlsroles.png

Message 7 of 7
1,635 Views
0

Helpful resources

Announcements
Las Vegas 2025

Join us at the Microsoft Fabric Community Conference

March 31 - April 2, 2025, in Las Vegas, Nevada. Use code MSCUST for a $150 discount!

FebPBI_Carousel

Power BI Monthly Update - February 2025

Check out the February 2025 Power BI update to learn about new features.

Feb2025 NL Carousel

Fabric Community Update - February 2025

Find out what's new and trending in the Fabric community.

View All
Top Solution Authors
View All
Top Kudoed Authors
View All