Earn a 50% discount on the DP-600 certification exam by completing the Fabric 30 Days to Learn It challenge.
Hi everyone
I hope someone has an answer to this problem as it has frustrated me all day.
I have set up my dashboard in Power BI desktop via "manage roles", so that a certain colleague should only be able to view rows relating to the team they manage. I am confident this has been set up correctly, as I get the correct result when I "view as role" in Desktop.
I have added them as a "viewer" to the workspace, and configured row level security on Power BI service so that their email address is associated with that specific team.
When I "view as role" in Desktop, this works correctly. However, when I "test as role" in Service, the RLS does not apply at all.
I have viewed a lot of resources online, people always suggest reviewing this link: https://docs.microsoft.com/en-us/power-bi/admin/service-admin-rls and in particular the line If you have configured the workspace so that members have edit permissions, the RLS roles will not be applied to them. Users will be able to see all of the data.
I don't know what other options I can configure here. Other than setting up a colleague as a "viewer" only, is there some other option on workspaces that is giving the individual edit access, thus bypassing the RLS?
Solved! Go to Solution.
@Anonymous
With my test, I cannot reproduce that issue, both copy paste email and select from list works.
The other possibility is if you and your colleagues are not in the same domain and tenant, simply enter the emails will not work with RLS for those external guest users. You can only add them to role and test with the role instead of the individual user.
Paul Zheng _ Community Support Team
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.
@Anonymous - If they are Viewer only to the workspace, RLS should apply. You will need to test as that user specifically though.
@Anonymous
If you want to test your RLS in Power BI Desktop - you'll need to 'explicitly' type in the employee email as "Other User" - while also selecting the target role to test.
In the service - you are doing everything correct. If they are in a Viewer role - then RLS applies. (It doesn't apply if they are a Contributor, Member, or Admin).
Hi
This is interesting. It seems when I test this in Desktop as "other user" I replicate the issue I see on PowerBI service. Therefore perhaps i have not configured this correctly?
This is my Manage roles screen
(excuse the censorship of sensitive tables!)
If i click "view as roles" and select pension, I get the correct result in Desktop. However if I click view as roles, other, and copy paste that users email address - exactly as it is written in the "manage roles" screen, i get the wrong result.
Can anyone spot anything obvious I have done wrong? My tables are set up as follows:
@Anonymous
With my test, I cannot reproduce that issue, both copy paste email and select from list works.
The other possibility is if you and your colleagues are not in the same domain and tenant, simply enter the emails will not work with RLS for those external guest users. You can only add them to role and test with the role instead of the individual user.
Paul Zheng _ Community Support Team
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.
@Anonymous
Looking at your model, it does not appear that your RLS filter will pass through the UserGroup table, despite having a bidirectional filter setup.
I built a similar table in Power BI to demonstrate:
Here i'm filtering the Users table and trying to get that RLS rule from "Users" to "Teams".
I'll select view as and type my target email in the "Other User" box.
Once RLS is 'applied' you can enter to "table view" to see how your model is filtered by the rule.
My users table and userGroups table are filtered as expected:
But my teams table is not:
This is at the heart of what is going wrong in your situation.
You would expect to only see two teams filtered in the Teams table - but all 4 are showing, indicating that it is not being filtered by the RLS (despite the two way filter).
If you are going for dynamic RLS (which it looks like you are), then it's best practice to also use "Username() or Userprincipalname() in your RLS DAX (as I show above). Type the email in the view as role popup, rather than in the DAX rule area itself.
Check out this video for one possible solution to this problem.
https://www.youtube.com/watch?time_continue=1&v=Sge_g9hTXWE&feature=emb_logo
There are other ways around this problem, but this should get you started.