Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Next up in the FabCon + SQLCon recap series: The roadmap for Microsoft SQL and Maximizing Developer experiences in Fabric. All sessions are available on-demand after the live show. Register now

Reply
ybarsabal
Resolver I
Resolver I

RLS with Multiple Roles

‎06-07-2019 12:26 PM

Consider a data set that contains sales data at the levels of USA, States, Sales Person Name.

 

Here are my desired roles:

SalesPerson = can see only his or her data.

StateManager = can see all data for a State.

 

I've set up the RLS for this, and it appears to work correctly. However, the security appears to break when a person is in both roles. 

1. First I assigned Mary to SalesPerson. The report showed her only her rows. Good!

2. Then I removed Mary from the SalesPerson role and assigned her to StateManager. The report showed her only her States. Good!

3. Then I assigned Mary to both SalesPerson and StateManager. The report showed her all states (all data). Bad!

 

What is going on?

Labels:
Message 1 of 4
7,718 Views
0
1 ACCEPTED SOLUTION
ybarsabal
Resolver I
Resolver I
In response to GilbertQ

‎06-11-2019 08:44 AM

Ok, I think I've identified the issue. The SalesPerson role was only filtering on the Fact table, and applying the filter to the State-to-Manager table (although unnecessary when only a SalesPerson) was necessary so that table was filtered when it became relavant in the StateManager role. 

View solution in original post

Message 4 of 4
7,667 Views
0
3 REPLIES 3
GilbertQ
Super User
Super User

‎06-07-2019 04:24 PM
Hi there

By design RLS shows the least restrictive when a person is in multiple roles.

What this means is if a person is in 2 roles, it will show the combination of both of those roles.

What should be done is you would need to create a Dynamic RLS which has based off the most granular data, which in your example would be the Sales Person




Did I answer your question? Mark my post as a solution!

Proud to be a Super User!







Power BI Blog

Message 2 of 4
7,708 Views
0
ybarsabal
Resolver I
Resolver I
In response to GilbertQ

‎06-11-2019 08:44 AM

Ok, I think I've identified the issue. The SalesPerson role was only filtering on the Fact table, and applying the filter to the State-to-Manager table (although unnecessary when only a SalesPerson) was necessary so that table was filtered when it became relavant in the StateManager role. 

Message 4 of 4
7,668 Views
0
ybarsabal
Resolver I
Resolver I
In response to GilbertQ

‎06-11-2019 07:17 AM

In my example, RLS is not showing the least restrictive of the two roles. It's ignoring both roles and just showing everything (neither role shows everything). 

 

The SalesPerson role is dynamic, filtering to rows where the UPN = SalesPerson in the main fact table.

 

The StateManager role uses a State-to-Manager table, filtering to States where UPN = Manager. This table has a relationship to the fact table joined on State.

Message 3 of 4
7,668 Views
0

Helpful resources

Announcements
New to Fabric survey Carousel

New to Fabric Survey

If you have recently started exploring Fabric, we'd love to hear how it's going. Your feedback can help with product improvements.

Power BI DataViz World Championships carousel

Power BI DataViz World Championships - June 2026

A new Power BI DataViz World Championship is coming this June! Don't miss out on submitting your entry.

FabCon and SQLCon Highlights Carousel

FabCon &SQLCon Highlights

Experience the highlights from FabCon & SQLCon, available live and on-demand starting April 14th.

March Power BI Update Carousel

Power BI Community Update - March 2026

Check out the March 2026 Power BI update to learn about new features.

View All