Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Register now to learn Fabric in free live sessions led by the best Microsoft experts. From Apr 16 to May 9, in English and Spanish.

Reply
Cihan61
Frequent Visitor

RLS And authorizations

‎08-29-2022 08:14 AM

Hello all,

 

we have the following problem in our company:

We don't want certain AD groups to have access to a dashboard. I have prepared and uploaded the authorization tables in the desktop version and then assigned the respective roles in the web versions.

 

The AD group in question was set to "Administator" yesterday. I then changed that to "View". The group is also shown as "View" in the accesses. But somehow the people in the AD group still get all the data displayed. I tried the same setting in the other workspaces and it works fine there. Therefore RLS should be set correctly.

 

In the other workspaces where it works, the so-called "readers" were already set as "view" from the beginning. Is it possible that the change was not made? Despite the fact that it says "View"?

 

thanks for your help

Labels:
Message 1 of 11
376 Views
0
10 REPLIES 10
Tutu_in_YYC
Resident Rockstar
Resident Rockstar

‎08-29-2022 10:52 AM

Hey Cihan61,

is there a possibility that those readers that see all the data, are also in a different security group that has the role IN { "Member", "Contributor", "Viewer" } ? (pardon the dax pun)

i.e John is in ADGroup1 that is "Viewer", but he is also in ADGROUP2 that is "Admin" in the workspace

If yes, that other security group will bypass the RLS.

Message 5 of 11
322 Views
0
Cihan61
Frequent Visitor
In response to Tutu_in_YYC

‎08-30-2022 01:21 AM

Hey Tutu_in_YYC,

 

we have two workspaces. Different viewer security groups have been created for both workspaces.

 

Workspace Crew > Crew_Readers
Workspace Operations > Ops_Readers

 

The person is in both view security groups. While it works in Workspace Operations, it does not work in Workspace Crew. But strange is also that some people Workspace Crew despite Crew_readers authorization, can not see the data (as it should be).

Message 6 of 11
306 Views
0
Tutu_in_YYC
Resident Rockstar
Resident Rockstar
In response to Cihan61

‎08-30-2022 11:35 AM

Assuming when you tested in both workspaces, they are individual datasets ( i.e not shared dataset between workspace).

If it works in Workspace Operations, but doesnt in Workspace Crew. It could be the person e.g Adam, has been assigned with a different role in a different way.

Example
In Workspace Operations, you have these members:

1. Ops_Readers - Assigned as Viewer - contains Adam

2. Adam - Assigned as Member

3. SecurityGroup2 - Assigned as Member - contains Adam


(2) or (3) will bypass RLS, and Adam will see all data.

Message 7 of 11
292 Views
0
Cihan61
Frequent Visitor
In response to Tutu_in_YYC

‎08-30-2022 11:48 AM

thanks 🙂 But ....

 

Workspace Operations we have followings Security Groups:

OPS_Readers (Viewer) > Contains Adam

OPS_PowerUsers (Admin) > Without Adam

 

Workspace Crew we have followings Security Groups:

Crew_Readers (Viewer) > Contains Adam

Crew_PowerUsers (Admin) > Without Adam

 

There are no other security groups. 

Message 8 of 11
287 Views
0
Tutu_in_YYC
Resident Rockstar
Resident Rockstar
In response to Cihan61

‎08-30-2022 01:21 PM

Same report and dataset in both workspaces? As @otravers mentioned, what did you use for the RLS DAX syntax?

Message 9 of 11
277 Views
0
Cihan61
Frequent Visitor
In response to Tutu_in_YYC

‎08-31-2022 01:05 AM

i have a file that i have saved locally and i load this file in two different workspaces. In that case we would have two different datasets in two different workspaces, right? But if I delete one of them in a workspace, the same thing happens.

The Dax formula is the following:

 

Cihan61_0-1661932926969.png

 

I am not sure if it is really due to the Dax formula. When I test it on the desktop version, it works fine. I enter the email address of the person and it works.

 

Message 10 of 11
271 Views
0
Tutu_in_YYC
Resident Rockstar
Resident Rockstar
In response to Cihan61

‎08-31-2022 08:02 AM

Yeah the DAX looks fine. It has to be some overlap of roles. Just to confirm there are only 2 members in each workspace and they are the security groups, no other members in there?

 

 

@Cihan61 wrote:

Workspace Operations we have followings Security Groups:

OPS_Readers (Viewer) > Contains Adam

OPS_PowerUsers (Admin) > Without Adam

 

Workspace Crew we have followings Security Groups:

Crew_Readers (Viewer) > Contains Adam

Crew_PowerUsers (Admin) > Without Adam

If yes, this is a doozy...

Message 11 of 11
249 Views
0
otravers
Community Champion
Community Champion

‎08-29-2022 09:43 AM

In the workspace where RLS isn't applied as expected while viewing, does RLS at least work in the testing functionality accessible from the dataset's security settings?

------------------------------------------------
1. How to get your question answered quickly - good questions get good answers!
2. Learning how to fish > being spoon-fed without active thinking.
3. Please accept as a solution posts that resolve your questions.
------------------------------------------------
BI Blog: Datamarts | RLS/OLS | Dev Tools | Languages | Aggregations | XMLA/APIs | Field Parameters | Custom Visuals
Message 2 of 11
334 Views
0
Cihan61
Frequent Visitor
In response to otravers

‎08-30-2022 11:26 AM

Hi,
no, it does not work there. I always test it from there. Can it be that it does not work with the test but still works in reality?

Message 3 of 11
298 Views
0
otravers
Community Champion
Community Champion
In response to Cihan61

‎08-30-2022 11:52 AM

I don't think that RLS can work in reality if it doesn't in the test area.

 

If things don't work in the test area, I think you can exclude workspace membership considerations (i.e. RLS is only applied to Viewers) and should focus on doublechecking two things:

 

1. Membership of users in AD groups, with possible overlaps

2. Syntax of RLS DAX expressions

 

It might be useful to create a spreadsheet of your users, their groups, and retest everything from the ground up.

------------------------------------------------
1. How to get your question answered quickly - good questions get good answers!
2. Learning how to fish > being spoon-fed without active thinking.
3. Please accept as a solution posts that resolve your questions.
------------------------------------------------
BI Blog: Datamarts | RLS/OLS | Dev Tools | Languages | Aggregations | XMLA/APIs | Field Parameters | Custom Visuals
Message 4 of 11
286 Views
0

Helpful resources

Announcements
Microsoft Fabric Learn Together

Microsoft Fabric Learn Together

Covering the world! 9:00-10:30 AM Sydney, 4:00-5:30 PM CET (Paris/Berlin), 7:00-8:30 PM Mexico City

PBI_APRIL_CAROUSEL1

Power BI Monthly Update - April 2024

Check out the April 2024 Power BI update to learn about new features.

April Fabric Community Update

Fabric Community Update - April 2024

Find out what's new and trending in the Fabric Community.

View All
Top Solution Authors
View All
Top Kudoed Authors
View All