Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Don't miss out! 2025 Microsoft Fabric Community Conference, March 31 - April 2, Las Vegas, Nevada. Use code MSCUST for a $150 discount. Prices go up February 11th. Register now.

Reply
dancarr22
Helper V
Helper V

RLS using USERPRINCIPAL Name - for 50+ users - need to add them all individually?

‎02-22-2024 10:17 AM

Hello,

 

We are using RLS security by leveraging USERPRINCIPALNAME.  This works.  The only issue is there are many different users with different permissions.  Do we need to add everyone in PBI service to that secured role separately?  Online documentation states that groups do not work - and in our testing that seems to be the case.  Just hoping there is a workaround as the # of users could balloon to hundreds and a pain to have to add each of them individually to the role in PBI service.

 

Thanks,

Dan

Labels:
Message 1 of 7
358 Views
0
1 ACCEPTED SOLUTION
lbendlin
Super User
Super User
In response to dancarr22

‎02-23-2024 10:01 AM

In Dynamic RLS you usually have a single role. That role has ideally only distribution lists as members , usually PDLs  maintained by an external tool.

View solution in original post

Message 6 of 7
319 Views
0
6 REPLIES 6
dancarr22
Helper V
Helper V

‎02-23-2024 11:22 AM

Got it - thanks!  I was under the impression that we could not use groups when adding role users.  But, if we can do that - it makes sense.  Thanks - issue resolved.

Message 7 of 7
311 Views
0
lbendlin
Super User
Super User

‎02-22-2024 02:48 PM

If you use dynamic RLS then your data model needs to contain a mapping table between email addresses and capabilities/permissions. Ideally that table is maintained outside of Power BI.

Message 2 of 7
331 Views
0
dancarr22
Helper V
Helper V
In response to lbendlin

‎02-23-2024 09:20 AM

Thanks @lbendlin  - I do have dynamic RLS set up.  The issue is we still have to go into the service security and add ever user individually to that role.  And any time a new user is given access - which works behinds the scenes because it is managed in our SQL database - we still need to set that new person up in PBI Service role security.  Unless I'm missing something.  

Seems like it would be much easier if we could ust add the USERPRINCIPALNAME filter directly to the SQL WHERE clause in the connection string - but that doesn't seem to be possible in M.  Doing so would prevent the need of having to add every person to the secure role in PBI service.

Thanks,
Dan

Message 3 of 7
323 Views
0
lbendlin
Super User
Super User
In response to dancarr22

‎02-23-2024 09:31 AM 
The issue is we still have to go into the service security and add ever user individually to that role.

Not sure I understand that part. Usually all you need to do is refresh your semantic model to pull in the new user mapping information.

 

 

You can consider using Direct Query with SSO passthrough 

Message 4 of 7
322 Views
0
dancarr22
Helper V
Helper V
In response to lbendlin

‎02-23-2024 09:41 AM

Maybe I misunderstood how RLS works but I thought that everyone who needs to be secured - in addition to being in the database - and filtered via RLS - they also need to be added to the role in PBI service for the given semantic model's security here:

dancarr22_0-1708709894559.png

ie. this is not the last step:

dancarr22_1-1708710002371.png

...still need everyone to be added individually to PBI service role.  Not great as we have 50 or so users so far and there will be many more in the future.  And cannot assign a group to a role - and have it work.



Message 5 of 7
321 Views
0
lbendlin
Super User
Super User
In response to dancarr22

‎02-23-2024 10:01 AM

In Dynamic RLS you usually have a single role. That role has ideally only distribution lists as members , usually PDLs  maintained by an external tool.

Message 6 of 7
320 Views
0

Helpful resources

Announcements
Las Vegas 2025

Join us at the Microsoft Fabric Community Conference

March 31 - April 2, 2025, in Las Vegas, Nevada. Use code MSCUST for a $150 discount! Prices go up Feb. 11th.

Jan25PBI_Carousel

Power BI Monthly Update - January 2025

Check out the January 2025 Power BI update to learn about new features in Reporting, Modeling, and Data Connectivity.

Jan NL Carousel

Fabric Community Update - January 2025

Find out what's new and trending in the Fabric community.

View All