Skip to main content
cancel
Showing results for 
Search instead for 
Did you mean: 

Earn the coveted Fabric Analytics Engineer certification. 100% off your exam for a limited time only!

Reply
alex2811
Frequent Visitor

RLS in app workspace works only in "view as role" but not when the actual user views the report

Hi everyone,

 

the title pretty much says it all.

I have set up a PBIX with dynamic RLS. Report viewers are only supposed to see employee data for their subordinates. The dataset contains only one role called "Teamleader".

The report is published via an app. On the dataset level, on the "security" tab, I have assigned 2 security groups to that role.

When I use the "view as role" feature, everything works nicely. I only see employee data for my own staff. If I view the report as another user (let's call him John Doe), this also works as expected. 

 

However, the actual John Doe just got in touch with me and informed me that he can see the records for all employees.

How is this possible? I already tried / verified the following:

- John Doe is a member of one of the 2 security groups that are assigned to the "Teamleader" role

- John Doe's access level to the app workspace is "App".

- I assume this is not a modelling issue since the desired filter logic works with the "view as" feature, both in the Service and in PBI Desktop.

 

Any ideas?

thanks alot.

 

Alex

 

1 ACCEPTED SOLUTION
Burningsuit
Resident Rockstar
Resident Rockstar

Hi @alex2811 

This is probably because your John Doe is a Member or Contributor in the Workspace you built the App from. Any Workspace members other than "Viewer" get Build permissions on the contents of the workspace, meaning they can edit and change content, but also that RLS is not applied to them. This follows through into the App built from the Workspace. Remove your John Doe from the Workspace or make him a Viewer only and he should be subject to RLS in the App.

Hope this helps

Stuart

View solution in original post

2 REPLIES 2
Burningsuit
Resident Rockstar
Resident Rockstar

Hi @alex2811 

This is probably because your John Doe is a Member or Contributor in the Workspace you built the App from. Any Workspace members other than "Viewer" get Build permissions on the contents of the workspace, meaning they can edit and change content, but also that RLS is not applied to them. This follows through into the App built from the Workspace. Remove your John Doe from the Workspace or make him a Viewer only and he should be subject to RLS in the App.

Hope this helps

Stuart

Hi Stuart,

turns out John Doe was simply looking at the wrong report and actually the report in question works just fine.

 

But still your remark is very useful as I didn’t know that RLS doesn’t apply to contributors (it does make sense though) – thanks for giving me the heads-up, that is not going to bite me the next time I am working with RLS.

Thanks man.

Helpful resources

Announcements
April AMA free

Microsoft Fabric AMA Livestream

Join us Tuesday, April 09, 9:00 – 10:00 AM PST for a live, expert-led Q&A session on all things Microsoft Fabric!

March Fabric Community Update

Fabric Community Update - March 2024

Find out what's new and trending in the Fabric Community.

Top Solution Authors