Solved: Row Level Security - SSAS/Report Server

holykasrabi · ‎09-24-2025

Hi everybody,

I have been struggling lately about how I should implement the "RLS" so that it is reflected in the power bi dashboards.
In other words,
1- First, I have designed a SSAS project and implemented roles using dynamic rls and also added desired members

2- Then I deployed the project on an Analysis Server database

3- Creating live connection in power bi and designed my dashboard

4- uploaded the .pbix file on the report server (on-premise).
5- Although I have defined rls in ssas visual studio, all users can see all of the information? and this is something that bothers me.
Note: I analyzed my SSAS project in Excel and all RLS configs are working like a charm. (RLS in Power bi -> Not ok, Excel -> Ok)

Is there anything else that I am missing which leads to this outcome? I greatly appreciate your help.
Thanks,
Kasra

d_gosbell

When you go to your report on Report Server and click on the ... menu and choose Manage > Data sources - what setting do you see for the Credentials? It needs to say "As the user viewing the report" for RLS to work and you will need to have Kerberos configured. Configure Kerberos to Use Power BI Reports - Power BI | Microsoft Learn

View solution in original post

v-sgandrathi

Hi @holykasrabi,

PBIRS does not pass the viewer’s identity to SSAS because of the current authentication or delegation settings. As a result, SSAS processes RLS using the PBIRS service account or stored credentials, which means RLS is effectively bypassed.

Data source authentication in PBIRS

Go to Report - Manage - Data Sources and set authentication to As the user viewing the report (Windows integrated).

Avoid using stored credentials or an unattended account.

Kerberos (double-hop) setup for PBIRS to SSAS

Register SPNs for the SSAS service account (MSOLAPSvc.*) and the PBIRS service account (HTTP/ReportServerHost).

In Active Directory, for the PBIRS service account:
Delegation - Trust this user for delegation to specified services only - Use Kerberos only / Constrained delegation - add the SSAS MSOLAPSvc.* SPNs.

Confirm the identity reaching SSAS

Use SSAS Profiler/XEvent or DMVs to trace while opening the report.

EffectiveUserName should be DOMAIN\actual_user.

If it shows the PBIRS service account, review your delegation and SPN setup.

Role and admin checks

Make sure users are not SSAS Server/DB Admins, since admins bypass RLS.

If your dynamic RLS uses USERNAME(), ensure its format matches your security table (usually DOMAIN\samAccountName). Adjust if you used UPNs or emails.

Model propagation (less common)

If you use many-to-many or bridge tables, check that “Apply security filter in both directions” is enabled where needed.

Quick Diagnostic Flow:

Set PBIRS data source to use viewer’s credentials, open the report, and check SSAS:

If EffectiveUserName equals the viewer, RLS is applied; otherwise, review admin/USERNAME() mapping.

If EffectiveUserName does not match the viewer, resolve SPNs and constrained delegation.

Configure Analysis Services for Kerberos constrained delegation | Microsoft Learn
Configure Kerberos to Use Power BI Reports - Power BI | Microsoft Learn
Authentication methodologies supported by Analysis Services | Microsoft Learn

Thank you.