Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

We've captured the moments from FabCon & SQLCon that everyone is talking about, and we are bringing them to the community, live and on-demand. Starts on April 14th. Register now

Reply
Anonymous
Not applicable

RLS Not Working Properly?

‎10-03-2019 05:04 PM

Hi all,

 

I created RLS in a report that I built.

Let's say I want to restrict the data based on project.

I created a role called RLS-ProjectX, which has definition of [Project] = "X", then deployed the report to Power BI Report Server (May 2019).

 

In the Report Server, I go to Manage > Row-Level Security > Add Member, and add user A to RLS-ProjectX role.

User A can only see project X-related data in the report, but everyone else cannot see anything (see the error message below).

Capture.PNG

 

I then created another role called RLS-ProjectAll, with no definition, then in the Report Server, I assigned Everyone to that role.

The report works again but User A can see everything (even though user A is still assigned to RLS-ProjectX role).

 

How can I overcome this issue?

Is it meant to work like that?

 

I deployed the report to Power BI Service, and it seems to behave differently.

As long as the user is not assigned to RLS-ProjectX role, the report still works for them (and no one is assigned to RLS-ProjectAll role).

 

Thanks in advance.

Labels:
Message 1 of 4
1,334 Views
0
3 REPLIES 3
d_gosbell
Super User
Super User

‎10-03-2019 09:07 PM
@Anonymous wrote:

 

How can I overcome this issue?

Is it meant to work like that?

 

Yes it is meant to work like this. If User A is a member of both RLS-ProjectX and RLS-ProjectALL the list of available projects which the user can see is generated by unioning the list of projects from each role so UserA will see all projects. The solution is to not include User A in the membership for the RLS-ProjectALL role.

 

The permissions on the service are slightly different as you also have the overlay of the workspace permissions to think about.

Message 2 of 4
1,296 Views
0
Anonymous
Not applicable
In response to d_gosbell

‎10-03-2019 09:24 PM
@d_gosbell wrote:

Yes it is meant to work like this. If User A is a member of both RLS-ProjectX and RLS-ProjectALL the list of available projects which the user can see is generated by unioning the list of projects from each role so UserA will see all projects. The solution is to not include User A in the membership for the RLS-ProjectALL role.

 

Is there an easy way to assign everyone except User A in the RLS-ProjectALL group?

It's not practical to include users one by one..

Message 3 of 4
1,289 Views
0
d_gosbell
Super User
Super User
In response to Anonymous

‎10-03-2019 10:22 PM
@Anonymous wrote:

Is there an easy way to assign everyone except User A in the RLS-ProjectALL group?

Not really. We usually use AD Groups in our role membership rather than adding individual users. But you still have the problem then of creating a group without that one person in it. You could also use Powershell or some other scripting approach to either populate a group or the role membership

Message 4 of 4
1,279 Views
0

Helpful resources

Announcements
New to Fabric survey Carousel

New to Fabric Survey

If you have recently started exploring Fabric, we'd love to hear how it's going. Your feedback can help with product improvements.

Power BI DataViz World Championships carousel

Power BI DataViz World Championships - June 2026

A new Power BI DataViz World Championship is coming this June! Don't miss out on submitting your entry.

Join our Fabric User Panel

Join our Fabric User Panel

Share feedback directly with Fabric product managers, participate in targeted research studies and influence the Fabric roadmap.

March Power BI Update Carousel

Power BI Community Update - March 2026

Check out the March 2026 Power BI update to learn about new features.

View All