Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Calling all Data Engineers! Fabric Data Engineer (Exam DP-700) live sessions are back! Starting October 16th. Sign up.

Reply
kbjgg
Regular Visitor

RLS working on when Test as User, but external user is getting access denied to underlying dataset

‎06-10-2024 07:38 AM

We have external users that we are trying to give access to one of our Power BI reports, and the RLS is not working.

 

Setup is as follows:

  • We have a PBIX that contains the data
  • We have another PBIX that connects to the data, this contains the visuals and app that the users view from Service

RLS controlled via user list that is filtered on the dataset via account number. In the security role we have:

[UserEmail] = USERPRINCIPALNAME()

 

On the service:

  • We have added them as guests of our 365 environment
  • On the Dataset workspace, the user has been added as a Viewer
  • They have been added to the RLS role
  • When testing as user, the dataset is correctly filtered
  • In the workspace containing the report with the visuals, they have been added to the app within the Audience section

Initially we found that the USERPRINCIPALNAME was in the format of {email}#EXT#@domain.com until the user logged in, then it reverted to their email address. So to allow us to test the role and (in theory) the user log in, we have both variations of the UPN in our RLS user list, but the external users still cannot log in.

 

They get the error "You can't see the content of this report because you don't have permissions to the underlying dataset. The underlying dataaset uses RLS"

 

Annoyingly I have my Gmail account set up as per the above and it is working perfectly fine, the only thing that's different about these users where they are using their own PBI Pro licence from their domain, whereas with my Gmail account we added the PBI licence internally.

 

What am I missing? Any advice greatly appreciated!

 

Labels:
Message 1 of 2
366 Views
0
1 ACCEPTED SOLUTION
kbjgg
Regular Visitor

‎06-10-2024 12:54 PM

I figured the issue out, so thought I would update in the event anyone else has a similar scenario. Whilst I had assigned the users to the RLS role on the data workspace semantic model, I hadn't realised that the same RLS role also applied on the semantic model for the report that only contained the visualisations/app. When I assigned the users to the RLS role in this workspace as well, the issue was resolved. Hope this helps someone else in the future! 

View solution in original post

Message 2 of 2
340 Views
0
1 REPLY 1
kbjgg
Regular Visitor

‎06-10-2024 12:54 PM

I figured the issue out, so thought I would update in the event anyone else has a similar scenario. Whilst I had assigned the users to the RLS role on the data workspace semantic model, I hadn't realised that the same RLS role also applied on the semantic model for the report that only contained the visualisations/app. When I assigned the users to the RLS role in this workspace as well, the issue was resolved. Hope this helps someone else in the future! 

Message 2 of 2
341 Views
0

Helpful resources

Announcements
FabCon Global Hackathon Carousel

FabCon Global Hackathon

Join the Fabric FabCon Global Hackathon—running virtually through Nov 3. Open to all skill levels. $10,000 in prizes!

FabCon Atlanta 2026 carousel

FabCon Atlanta 2026

Join us at FabCon Atlanta, March 16-20, for the ultimate Fabric, Power BI, AI and SQL community-led event. Save $200 with code FABCOMM.

View All
Top Solution Authors
View All
Top Kudoed Authors
View All