Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Don't miss out! 2025 Microsoft Fabric Community Conference, March 31 - April 2, Las Vegas, Nevada. Use code MSCUST for a $150 discount. Prices go up February 11th. Register now.

Reply
dpollozhani
Helper I
Helper I

Dynamic RLS with apps using shared dataset across workspaces, internal and external users

‎03-29-2022 02:20 AM

Hi all,

 

I believe that I have thoroughly searched the community, but have not been able to find an answer to my specific problem.

 

The setup

  • I have a dataset with dynamic RLS applied to it. The dataset is the basis of an app in Workspace A (Global Sales, see illustration below), but it is also shared to Workspace B (Ecommerce), where it is the basis of one report contained in that app.
  • User only have access to the apps (with build rights enabled), not to any of the workspaces. Apps are shared via links (we are currently in testing).
  • The distribution is handled via Azure AD groups; the same AD group has access to both apps in this case.
  • Both internal and external users (guests) are given access. I'm not certain that it truly matters, but the implication of how PBI Service catalogues UserPrincipalName() differently between internal and external users, has been adressed as per this thread.

The problem

RLS decidedly works as it should. I can confirm it both in PBI Desktop and in PBI Service with role testing. Users can see the content, filtered correctly, in the Global Sales app.

The strange thing is that user cannot immediately see the content of the app in Ecommerce that is based on the shared dataset -- until they have first opened the app in Global Sales. (The error message is by the way "access denied", as if they are not part of RLS.)

In other words, it seems that they must first open the app in the workspace in which the dataset resides, before they can see the shared content in the other workspace's app. 

 

dpollozhani_0-1648544217440.png

 

I find this behaviour utterly strange, but I guess there must be an explanation for it. Perhaps I am doing something wrong.

 

To further add to the context, our license model is Power BI Pro. Some external users bring their own licenses, some are just using the Pro trial at the moment.

 

I hope someone can help with this.

 

Thanks in advance!

Labels:
Message 1 of 6
575 Views
0
5 REPLIES 5
Tutu_in_YYC
Super User
Super User

‎03-29-2022 07:56 AM

I have a similar architecture with shared dataset, I make sure that the AD group is in the dataset permission ( which is in a different workspace) and AD group is also in the App permission. Have you included the AD group in the dataset permission?

 

As to USERPRINCIPALNAME, if you test it on your domain, "EXT" may appear in the returned value. But it will not when the external users are viewing it, i.e it will show as JohnDoe@domain.com 

Message 5 of 6
525 Views
0
dpollozhani
Helper I
Helper I
In response to Tutu_in_YYC

‎04-04-2022 12:41 AM

Yes, the group is included in the dataset permission (RLS). 
As for the USERPRINCIPALNAME, as I said, I'm not sure it really matters. One external user that was given the link to the Global Sales app could open the second app directly even before my DAX code change for the dynamic role. It seems that PBI service handled it below the hood.

Message 6 of 6
490 Views
0
ibarrau
Super User
Super User

‎03-29-2022 05:27 AM

Hi. I think the issue here is that because you are sharing links of apps they won't have the permission really applied until they open the Global App. They only have a link and you haven't added them in any kind of permission. That's why they need to open it at least once before being able to chek the other app.

If you want to get rid of the behaviour you need to grant them permission in the workspace to let them have the permissions configured without opening anything. If that's not an option for you, you can play around with the upgrade option in the App like "install the app automatically" adding the users in box of the app. You need to grant the permissions somehow because the link it's just a link without previous configuration.

I hope that makes sense and helps


If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

Happy to help!

LaDataWeb Blog

Message 2 of 6
532 Views
dpollozhani
Helper I
Helper I
In response to ibarrau

‎05-10-2022 12:32 AM

Update!

I have now explored this further, since I had to create a new workspace with reports using data from two other workspaces. Unfortunately, the problem is the very same even when I grant user permissions directly to the workspace. Even though everything checks out, with AD groups, RLS (tried and tested) - the users cannot open the reports in the workspace.

Message 4 of 6
427 Views
0
dpollozhani
Helper I
Helper I
In response to ibarrau

‎04-04-2022 12:37 AM

 

This might very well be the issue. At the moment I have no new user to try this with, but it makes sense nonetheless. I will make sure to install the app automatically now, and then see what happens with my next user(s). 

Message 3 of 6
491 Views
0

Helpful resources

Announcements
Las Vegas 2025

Join us at the Microsoft Fabric Community Conference

March 31 - April 2, 2025, in Las Vegas, Nevada. Use code MSCUST for a $150 discount! Prices go up Feb. 11th.

Jan25PBI_Carousel

Power BI Monthly Update - January 2025

Check out the January 2025 Power BI update to learn about new features in Reporting, Modeling, and Data Connectivity.

Jan NL Carousel

Fabric Community Update - January 2025

Find out what's new and trending in the Fabric community.

View All