Hi @holykasrabi,
PBIRS does not pass the viewer’s identity to SSAS because of the current authentication or delegation settings. As a result, SSAS processes RLS using the PBIRS service account or stored credentials, which means RLS is effectively bypassed.
Data source authentication in PBIRS
Go to Report - Manage - Data Sources and set authentication to As the user viewing the report (Windows integrated).
Avoid using stored credentials or an unattended account.
Kerberos (double-hop) setup for PBIRS to SSAS
Register SPNs for the SSAS service account (MSOLAPSvc.*) and the PBIRS service account (HTTP/ReportServerHost).
In Active Directory, for the PBIRS service account:
Delegation - Trust this user for delegation to specified services only - Use Kerberos only / Constrained delegation - add the SSAS MSOLAPSvc.* SPNs.
Confirm the identity reaching SSAS
Use SSAS Profiler/XEvent or DMVs to trace while opening the report.
EffectiveUserName should be DOMAIN\actual_user.
If it shows the PBIRS service account, review your delegation and SPN setup.
Role and admin checks
Make sure users are not SSAS Server/DB Admins, since admins bypass RLS.
If your dynamic RLS uses USERNAME(), ensure its format matches your security table (usually DOMAIN\samAccountName). Adjust if you used UPNs or emails.
Model propagation (less common)
If you use many-to-many or bridge tables, check that “Apply security filter in both directions” is enabled where needed.
Quick Diagnostic Flow:
Set PBIRS data source to use viewer’s credentials, open the report, and check SSAS:
If EffectiveUserName equals the viewer, RLS is applied; otherwise, review admin/USERNAME() mapping.
If EffectiveUserName does not match the viewer, resolve SPNs and constrained delegation.
Configure Analysis Services for Kerberos constrained delegation | Microsoft Learn
Configure Kerberos to Use Power BI Reports - Power BI | Microsoft Learn
Authentication methodologies supported by Analysis Services | Microsoft Learn
Thank you.
