Skip to main content
cancel
Showing results for 
Search instead for 
Did you mean: 

Earn the coveted Fabric Analytics Engineer certification. 100% off your exam for a limited time only!

December Update Issue - Multiple Roles in Row Level Security causing errors for user

We have had our row level security configured like this for a long time. After the December update, suddenly users that are part of two different security roles are getting an error on all visuals stating "The user belongs to multiple roles that have security filters, which isn't supported when one of the roles has filters affecting table 'StoreList' with SecurityFIlteringBehavior = Both relationships.

 

Prior to the December update, if a user was part of multiple roles, these roles were unioned in the output.

 

Are there plans on fixing this bug? If not, we will have to rework our RLS infrastructure.

 

Thanks 

Status: Delivered

Hi All,

 

We get confirm from the product team said this issue is related to design change. Just as the content from eric_collins, you will get an error message if you belong to multiple RLS roles and at least one of the roles relies on a limited relationship. For more details about limited relationship and what kind of relationships can be identified as limited relationships, please refer to Limited relatioships. And for more details about this scenario and its limitations and workaround, please refer to Issue: Multiple roles and limited relationships.

 

Best Regards,

Community Support Team _ Caiyun

Comments
v-cazheng-msft
Community Support
Status changed to: Accepted

Hi @Amerivike 

 

There is an existing ICM(279241513) that reported an similar issue(Members of multiple RLS roles suddenly couldn’t view report) and product team is investigating on it. If it is a urgent for you and you are a Pro user, please consider creating a support ticket in Power BI Support and the engineer assigned to you will help you troubleshot this issue or escalate it when needed. For how to create a support ticket, please refer to this blog.

 

Best Regards,

Community Support Team _ Caiyun

jcs93
Helper I

I have the EXACT same issue.  Everything was fine until the latest update on the service.  A report I hadn't touched in 6 months now has issues if someone is present in multiple RLS groups.

 

I will open a Support Ticket to get this resolved since it's affecting our daily operations.

jcs93
Helper I

@Amerivike ,

This is what MS Support sent me this morning:

jcs93_0-1642173075454.png

 

They also said that this change has not yet been published, but is currently active.

 

I'm rather disappointed the MS didn't notify anyone of this change, so now we have to scramble to make things work.

DavidAnton
Regular Visitor

We have the same issue, about 500 users can't use any of the reports that have been working for more than a year as most of our users belong to multiple roles.

I see no change related to RLS communicated in either the December Feature Summary, or anywhere for that matter. So I can not accept the answer that the MS support gave according to the post of @jcs93. This is not a new feature, this is a bug that a lot of organizations running productive systems could not prepare for.

jcs93
Helper I

@DavidAnton , I fully agree with you.  I was rather frustrated when on the support call when I was told "this is the way it works now."  The support tech could not find anything that announced the change, nor could he explain it better than what I pasted above.

 

I'd suggest submitting a support request to see if you can get a better answer.

DavidAnton
Regular Visitor

@jcs93 I will submit a ticket as you suggested.

I have found two other topics about the same issue, so a lot of users are struggling with the same problem:
https://community.powerbi.com/t5/Desktop/Users-with-multiple-security-roles-suddenly-can-t-see-data/...
https://community.powerbi.com/t5/Service/Dashboard-with-multiple-RLS-roles-work-in-My-Workspace-but-...

In the first thread there was a proposed solution (24th message) to change the many-to-many relationships by implementing a bridge table, but unfortunately that does not work. I have tested it and the error message is gone, but so are the restrictions, since it essentially deactivates the security filter.

YvonneK
Regular Visitor

We experience exactly same issue. The reports eith multiple files tot users cant bevcombined because we have verticale right on employee data and horizontale right on temp data. Why is Microsoft nog fixing this bug !! It worked perfectly for more than 2 years and suddenly users cant der al their data. This is onacceptabel.

eric_collins
New Member

For anyone still struggling with this, I put it a ticket last week. I was told over the phone that this would be patched in a future update, but that they couldn't give timelines. As some other users have pointed out, this seems to be because they changed the way many-to-many relationships work, and was at least known about prior to the update, because they changed the error message. We're fortunate our staff can be easily split by security level, but so many other companies don't have that luxury. Ultimately, a change at this level should have AT LEAST been made known prior to release. I've included the support email for anyone that needs it. 

 

 

Hello Eric

 

Thanks for your response!

 

Regarding your case, this seems to be related to a Known Issue.

 

Here’s what our Product Group mentioned regarding this :

 

“Please see the below changes to resolve this issue:

 

Nature of the problem: Power BI customers might experience issues while loading visuals and running DAX queries if below conditions are met:

  1. User who belongs to multiple RLS roles runs DAX query.
  2. At least one of the RLS filters is flowing through “limited” relationship.

eric_collins_0-1643029508523.png

 

See more details about limited relationships:

Model relationships in Power BI Desktop - Power BI | Microsoft Docs

We replaced analysis services behavior for scenario #3 to raise a following runtime error:

The user belongs to multiple roles 'CustomerPerm, TimePerm' that have security filters, which isn't supported when one of the roles has filters affecting table 'Sales' with SecurityFilteringBehavior=Both relationships.

(SecurityFilteringBehavior=Both” – this part is confusing, sorry about that. The error will be improved.)

 

Product Group is working on fully enabling this scenario in secure fashion for PowerBI products and it will be deployed in the upcoming releases of PowerBI.

 

 

Workarounds:

Customer needs to fix their problematic model to remove risk of unintentional information disclosure. To improve your model and avoid this error, please adopt one of the following options. It is introduced only to avoid potential data leak and improve the RLS model.

  1. Do not put any user into multiple roles (feasible for small/manageable number of roles):
    1. For user that belongs to both RLS_1 and RLS_2 create another RLS role e.g., RLS_12 which combines DAX filters as follows RLS_12 => RLS_1 union RLS_2.
    2. Remove user from RLS_1 and RLS_2, add user to RLS_12.

 

  1. Keep PowerBI RLS on single datasource island.

If it's necessary for a single user to belong to multiple security roles, make sure all RLS filters associated with the roles are defined on tables from a single data source.

 

  1. [Emergency option for PowerBI Premium only] Contact Microsoft Product Group to disable DAXStrictMultiRolesQueryPlanValidation and accept the risk associated with that decision.”
AdasK
Regular Visitor

Any update expected fix date? Still having this issue

v-cazheng-msft
Community Support
Status changed to: Delivered

Hi All,

 

We get confirm from the product team said this issue is related to design change. Just as the content from eric_collins, you will get an error message if you belong to multiple RLS roles and at least one of the roles relies on a limited relationship. For more details about limited relationship and what kind of relationships can be identified as limited relationships, please refer to Limited relatioships. And for more details about this scenario and its limitations and workaround, please refer to Issue: Multiple roles and limited relationships.

 

Best Regards,

Community Support Team _ Caiyun