Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Don't miss out! 2025 Microsoft Fabric Community Conference, March 31 - April 2, Las Vegas, Nevada. Use code MSCUST for a $150 discount. Prices go up February 11th. Register now.

Reply
imranamikhan
Helper V
Helper V

Row Level Security using User Principal Name (UPN)

‎06-24-2019 08:16 PM

Hi,

 

I am trying to set up Row Level Security to restrict the data a user can view based on their e-mail address but I am having an issue.

 

Context:

 

Table A is what users have access to. This table contains data with account codes.

 

Table B contains accounts codes together with the user name and e-mail of the users assigned to that account code.

 

Because a user can be linked to multiple account codes, I have created a simple bridge table which contains unique account codes to create a relationship between Table A and Table B.

 

Sample 2.PNG

 

As a check to ensure Table A is correctly filtering account codes based on a users’ e-mail address. I added Table A and Table B to a test page, and then selected an e-mail address from Table B to see if the Table A correctly displayed only account codes linked to the selected e-mail address. This worked as expected.

 

Sample.PNG

 

I would now like to replicate this functionality into a role using row level security. I have tried to do this using User Principal Name (UPN) by creating a role with the following expression:

 

[E-mail Address] = userprincipalname()

 

This does not work after testing. I even added even USERPRINCIPALNAME() to a card to check if the e-mail address displayed correctly and it did.

 

I suspect I am missing something obvious and I would appreciate it if anyone could take a look.

 

Best regards,

Labels:
Message 1 of 10
15,843 Views
0
1 ACCEPTED SOLUTION
Anonymous
Not applicable
In response to jdbuchanan71

‎07-03-2019 12:34 PM

Never mind. I figured out what I was doing wrong. I think part of my brain is already floating on the lake, totally NOT thinking about Power BI. 🙂

 

I just forget to both click "View As" and also select the role. Again, total brain fail I am blaming on the upcoming holiday.

 

Thanks! Scott

View solution in original post

Message 10 of 10
15,768 Views
9 REPLIES 9
Anonymous
Not applicable

‎07-03-2019 11:08 AM

Did you ever this this resolved? I am wondering if RLS/View As Roles is buggy in the latest PBI Desktop release? I have a lot of experience with RLS and using UserPrincipalName() in roles. However, now, when I use my own user, the security role works fine. But as soon as I use View As Role with any value, it just returns all the data. This is obvious not how it is supposed to work.

 

Is anyone else have issues like this with the most recent release?

Message 5 of 10
15,784 Views
0
jdbuchanan71
Super User
Super User
In response to Anonymous

‎07-03-2019 11:11 AM

I ran into odd behavior if the person I view as was a member of the workspace.  I think it's because the user can get to the dataset that RLS doesn't filter it down.  Perhaps try it as a user you have just shared the report with?

Message 6 of 10
15,783 Views
0
Anonymous
Not applicable
In response to jdbuchanan71

‎07-03-2019 12:34 PM

Never mind. I figured out what I was doing wrong. I think part of my brain is already floating on the lake, totally NOT thinking about Power BI. 🙂

 

I just forget to both click "View As" and also select the role. Again, total brain fail I am blaming on the upcoming holiday.

 

Thanks! Scott

Message 10 of 10
15,769 Views
Anonymous
Not applicable
In response to jdbuchanan71

‎07-03-2019 11:18 AM

I am testing in PBI Desktop. And I just did one more test. The role is straigtforward - '[e-mail] = userprincipalname()' and then I entered a valid email into the View As Role textbox 'test@email.com'. This still (incorrectly) returned all the values in the table, not just the ones I own. I then changed the security role to '[e-mail] = 'test@email.com"' and when I applied it, only the records owned by that email came back, as is supposed to happen.

 

Again, I think it is a bug.

Message 7 of 10
15,762 Views
0
smishra99acres
Helper I
Helper I
In response to Anonymous

‎02-20-2023 10:00 PM

Same issue facing how did you solve this issue.i am getting all data except that i own

Message 9 of 10
5,988 Views
0
smishra99acres
Helper I
Helper I
In response to Anonymous

‎02-20-2023 09:09 PM

Hav you got the solution? i am facing same issue

Message 8 of 10
5,995 Views
0
svishwanathan
Helper III
Helper III

‎06-24-2019 09:45 PM

Hi 

Can you elaborate what you mean by row level security is not working. How are you testing this? You would create the measure under Modelling> Manage Roles. Be sure to pick the correct table this measure should filter against

 

You may find this useful

https://www.blue-granite.com/blog/using-dynamic-row-level-security-with-organizational-hierarchies

Message 2 of 10
15,833 Views
jdbuchanan71
Super User
Super User
In response to svishwanathan

‎06-24-2019 10:14 PM

After publishing the report with the role Test with the filter [E-mail Address] = userprincipalname() did you add the users to the Test role in the Power BI service?

https://docs.microsoft.com/en-us/power-bi/service-admin-rls

One way that makes it easier is to add an active directory security group to the role.  You can also share the report with the security group.  That way, when a new employee comes on, if they get added to that security group, the report is already shared with them and RLS is applied.

One other note, for the long list of filters, instead of

[Group Company Code] = "DE14" || [Group Company Code] = "DE12" || [Group Company Code] = "DE11" || [Group Company Code] = "DE10" || [Group Company Code] = "DE09" || [Group Company Code] = "DE08" || [Group Company Code] = "DE07" || [Group Company Code] = "DE06" || [Group Company Code] = "DE05" || [Group Company Code] = "DE04" || [Group Company Code] = "DE03" || [Group Company Code] = "CH05" || [Group Company Code] = "CH03" || [Group Company Code] = "CH02" || [Group Company Code] = "AT03" || [Group Company Code] = "AT0220" || [Group Company Code] = "AT0210" || [Group Company Code] = "AT0200"

you can use the new IN function

[Group Company Code] IN {"AT0200", "AT0210", "AT0220", "AT03", "CH02", "CH03", "CH05", "DE03", "DE04", "DE05", "DE06", "DE07", "DE08", "DE09", "DE10", "DE11", "DE12", "DE14"}

 

Message 3 of 10
15,821 Views
imranamikhan
Helper V
Helper V
In response to jdbuchanan71

‎07-01-2019 07:24 AM

Hi both,

 

Apologies for the delayed response. Thanks for the tip re the IN function.

 

Because Table A and Table B have a relationship, what I mean by row level security not working is that when I publish the report to the Power Bi Service, or select View as Roles in Desktop mode, I expect Table A to display only data relevant to the e-mail address of the person who opened the report (via the userprincipalname expression). As noted in more detail in my first post, if I select an e-mail address from Table B in Desktop, Table A correctly displays data relevant to the selected e-mail address in Table B (because of the relationship between the tables).

 

One possible clue is that I have created this role against Table B (Security Mapping) rather than Table A (FPI & Accounts). I have done this because it is that table which has the e-mail address.

 

I hope this is clearer.

 

Best regards,

 

Sample.PNG

Message 4 of 10
15,802 Views
0

Helpful resources

Announcements
Las Vegas 2025

Join us at the Microsoft Fabric Community Conference

March 31 - April 2, 2025, in Las Vegas, Nevada. Use code MSCUST for a $150 discount! Prices go up Feb. 11th.

Jan25PBI_Carousel

Power BI Monthly Update - January 2025

Check out the January 2025 Power BI update to learn about new features in Reporting, Modeling, and Data Connectivity.

Jan NL Carousel

Fabric Community Update - January 2025

Find out what's new and trending in the Fabric community.

View All