Starting December 3, join live sessions with database experts and the Microsoft product team to learn just how easy it is to get started
Learn moreGet certified in Microsoft Fabric—for free! For a limited time, get a free DP-600 exam voucher to use by the end of 2024. Register now
Hi,
I am having an issue with a report with RLS on the service.
The implementation is very simple using an access rule table with 2 columns [Username] and [Company] governing the Company view in the report. Then the dynamic RLS is implemented with a LOOKUP to that table looking for a matching USERPRINCIPALNAME().
My testing does work as expected in both local and service for all the defined users, but one.
The filter rule does fail for this user only on the service.
It seems like this user were an admin able to override any RLS rule.
But after extensive cheching, it tourned out that this user is not present anywhere I can check.
It's not a member of the report workspace, less than having any edit permissions.
It's not a member of the linked Sharepoint/Teams groups.
It doesn't show anywhere, but it can skip RLS.
Any hint would be GREATLY appreciated.
Thanks
maclura
Hi, @maclura ;
Hi @v-yalanwu-msft ,
we opened a ticket with Microsoft for this issue, and it's still open.
Microsoft has come back a couple of time with questions, but they seem to chew on this access problem a bit.
I will keep you updated on any outcome.
maclura
Please check, if you have any "Share"-Links created by the standard PowerBI Sharing Features - you can see this when checking context menu "..." -> "Manage Access" on the Report and Dataset. At least it helpen in my case...
Thank you @alexrobe for your hint.
I checked and I had 2 links for the report and 2 for the dataset. I removed all of them, but nothing changed! This user is still able to ignore any security rule.
One of the suggestions from Microsoft was that this user has never accessed PowerBI before, and that would explain why testing like that user doesn't work, but then we setup security rules for dozen of users who never accessed Power BI before, and none of them was able to override any rule.
maclura
Hi, @maclura ;
1.First check if he's a member of the group:
In the Power BI service, you can add a member to the role by typing in the email address or name of the user or security group. You can't add Groups created in Power BI. You can add members external to your organization.
2.You said that your desktop test is also that one person does not take effect, right? If it doesn't work in Service and on desktop, you can delete the data set and re-publish the new workspace to try it out.
3.Check The user is mapped to multiple roles.
https://docs.microsoft.com/en-us/power-bi/admin/service-admin-rls
https://docs.microsoft.com/en-us/power-bi/guidance/rls-guidance
Best Regards,
Community Support Team_ Yalan Wu
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.
Starting December 3, join live sessions with database experts and the Fabric product team to learn just how easy it is to get started.
March 31 - April 2, 2025, in Las Vegas, Nevada. Use code MSCUST for a $150 discount! Early Bird pricing ends December 9th.
User | Count |
---|---|
39 | |
25 | |
21 | |
19 | |
10 |
User | Count |
---|---|
38 | |
36 | |
34 | |
20 | |
14 |