Skip to main content
cancel
Showing results for 
Search instead for 
Did you mean: 

Grow your Fabric skills and prepare for the DP-600 certification exam by completing the latest Microsoft Fabric challenge.

Reply
maclura
Resolver I
Resolver I

Dynamic RLS issue on the service for a single user

Hi,

I am having an issue with a report with RLS on the service.

The implementation is very simple using an access rule table with 2 columns [Username] and [Company] governing the Company view in the report. Then the dynamic RLS is implemented with a LOOKUP to that table looking for a matching USERPRINCIPALNAME().

My testing does work as expected in both local and service for all the defined users, but one.

The filter rule does fail for this user only on the service.

It seems like this user were an admin able to override any RLS rule.

But after extensive cheching, it tourned out that this user is not present anywhere I can check.

It's not a member of the report workspace, less than having any edit permissions.
It's not a member of the linked Sharepoint/Teams groups.

It doesn't show anywhere, but it can skip RLS.

 

Any hint would be GREATLY appreciated.

Thanks

maclura  

 

 

5 REPLIES 5
v-yalanwu-msft
Community Support
Community Support

Hi, @maclura ;

Is your problem solved?? If so, Would you mind accept the helpful replies as solutions? Then we could close the thread. More people who have the same requirement will find the solution quickly and benefit here. Thank you.

Best Regards,
Community Support Team_ Yalan Wu
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

Hi @v-yalanwu-msft ,

we opened a ticket with Microsoft for this issue, and it's still open.

Microsoft has come back a couple of time with questions, but they seem to chew on this access problem a bit.

I will keep you updated on any outcome.

 

maclura

Please check, if you have any "Share"-Links created by the standard PowerBI Sharing Features - you can see this when checking context menu "..." -> "Manage Access" on the Report and Dataset. At least it helpen in my case...

Thank you @alexrobe for your hint.

I checked and I had 2 links for the report and 2 for the dataset. I removed all of them, but nothing changed! This user is still able to ignore any security rule.

One of the suggestions from Microsoft was that this user has never accessed PowerBI before, and that would explain why testing like that user doesn't work, but then we setup security rules for dozen of users who never accessed Power BI before, and none of them was able to override any rule.

maclura

v-yalanwu-msft
Community Support
Community Support

Hi, @maclura ;

1.First check if he's a member of the group:

In the Power BI service, you can add a member to the role by typing in the email address or name of the user or security group. You can't add Groups created in Power BI. You can add members external to your organization.

 

2.You said that your desktop test is also that one person does not take effect, right? If it doesn't work in Service and on desktop, you can delete the data set and re-publish the new workspace to try it out.

 

3.Check The user is mapped to multiple roles.

 

https://docs.microsoft.com/en-us/power-bi/admin/service-admin-rls

https://docs.microsoft.com/en-us/power-bi/guidance/rls-guidance

Best Regards,
Community Support Team_ Yalan Wu
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

Helpful resources

Announcements
RTI Forums Carousel3

New forum boards available in Real-Time Intelligence.

Ask questions in Eventhouse and KQL, Eventstream, and Reflex.

MayPowerBICarousel

Power BI Monthly Update - May 2024

Check out the May 2024 Power BI update to learn about new features.

Top Solution Authors