The ultimate Fabric, Power BI, SQL, and AI community-led learning event. Save €200 with code FABCOMM.
Get registeredCompete to become Power BI Data Viz World Champion! First round ends August 18th. Get started.
I have RLS set up using User Principal name for a user outside of my organization. I already included the #EXT# as part of the security table, and when I view test this role in powerBI service, and select this user, I see data correctly. However when the user logs in, they see no data at all, just an empty report. What are some troubleshooting steps I can try with this user? The user has been shared read-only access to the report, and not the dataset or workspace, if that is relevant.
(more context from comment below)
So Let's say the user's email is jdoe@userdomain.com
if i set UPN in my security settings to "jdoe@userdomain.com" the user gets an error when viewing the report
"The report can't be viewed because the underlying dataset uses row-level securty (RLS)
When I add the user to a role in service, "test as role", select that user, and hover over the user name, i get more details, including the UPN which is in the format jdoe_userdomain.com#EXT#@mydomain.com
so i went into my RLS table in the data set, changed the UPN for that user to include the proper formatting of the UPN, now the user logs in and no longer sees the error i described before, but the report is blank without data. If i use test role, i can accurately see the data as expected. This is consistent for two different users on that domain.
Solved! Go to Solution.
For what it's worth, i was able to solve this problem by adding BOTH formats to my RLS table.
When I viewed from "Test Roles" my table visual that I used as a diagnostic with USERPRINCIPALNAME() would show the jdoe_userdomain#EXT#@mydomain.com, and using this value in my RLS allowed my "test role" to work well, but didn't allow the user. If i ALSO added jdoe@userdomain.com, the user was able to login without errors, and when they view my diagnostic visual their visual showed jdoe@userdomain.com. So the solution was both things, I had to add both addresses to my RLS table for me to be able to test the roles and for the user to be able to see the report. Thank you so much for the guidance.
For what it's worth, i was able to solve this problem by adding BOTH formats to my RLS table.
When I viewed from "Test Roles" my table visual that I used as a diagnostic with USERPRINCIPALNAME() would show the jdoe_userdomain#EXT#@mydomain.com, and using this value in my RLS allowed my "test role" to work well, but didn't allow the user. If i ALSO added jdoe@userdomain.com, the user was able to login without errors, and when they view my diagnostic visual their visual showed jdoe@userdomain.com. So the solution was both things, I had to add both addresses to my RLS table for me to be able to test the roles and for the user to be able to see the report. Thank you so much for the guidance.
Hi @ChadPBI
You just need to put in the users email address. That should resolve the issue?
The other troubleshooting step is to have SQL Profiler running if your dataset is in Premium or Premium Per user. SQL Profiler will enable you to view what happens when they log in.
Here are details on how to do this: How to connect to a Power BI Premium Per User using SQL Profiler - FourMoo | Power BI | Data Analyti...
Thanks @GilbertQ
So Let's say the user's email is jdoe@userdomain.com
if i set UPN in my security dimension table to "jdoe@userdomain.com" the user gets an error when viewing the report
"The report can't be viewed because the underlying dataset uses row-level securty (RLS)
When I add the user to a role in service, "test as role", select that user, and hover over the user name, i get more details, including the UPN which is in the format jdoe_userdomain.com#EXT#@mydomain.com
so i went into my RLS table in the data set, changed the UPN for that user to include the proper formatting of the UPN, now the user logs in and no longer sees the error i described before, but the report is blank without data. If i use test role, i can accurately see the report filtered as expected. This is consistent for two different users on that domain.
Hi @ChadPBI
I have set RLS up for multiple clients who have had both internal and external users.
In your RLS tables you would save the jdoe@userdomain.com
If the user is seeing blank data that means that the RLS mapping is not working for the specific user. What you could do is to create a measure on the report to understand what the users actual logged in email address is
You can create the following measure:
Logged in User = USERPRINCIPALNAME()
@GilbertQ , thanks for your help so far. I made the measure you suggested, put it in a table visual, used "test roles" with this user, and it gives me this address including this #EXT# extension, and no data shown when the RLS table has an email in the format jdoe@sample.com. If i adjust the RLS table to have an address that matches what i see here (jdoe_sample.com#EXT#@mydomain.com), I can see the report correctly when i "test roles" but the user cannot see anything.