Starting December 3, join live sessions with database experts and the Microsoft product team to learn just how easy it is to get started
Learn moreGet certified in Microsoft Fabric—for free! For a limited time, get a free DP-600 exam voucher to use by the end of 2024. Register now
We have implemented row level security based on below requirement :
one AD group XYZ that has below user levels based on security predicate as follows :
1. Executive : [Executive Email]= userprincipalname()
2. Head of : [Headof Email]= userprincipalname()
3. Sales Mgr : [SM Email]= userprincipalname()
4. Specialist : [Email]= userprincipalname()
This works perfectly fine when AD group is assigned to all the roles in Power BI service.
However, there are few users in the AD group that needs to see everything irrespective of RLS filter but are not part of the Users Hierarchy table. I created a role "All Roles" where 1=1 and added AD group to it.
Although it works for "All Roles", the RLS roles filters aren't working anymore.
Kindly suggest.
It seems like the problem is caused by the creation of the "All Roles" role that doesn't have any restrictions. When a user is a member of this role, they can see everything in the report, regardless of the RLS filters defined for other roles. To resolve this issue, you can create a separate role for those users who need to see everything, and give them access to all the data in the report without using RLS.
Alternatively, you can modify the security predicates of the existing roles to include the conditions that allow the desired users to see everything. For example, you can add an OR clause in each security predicate that checks if the current user is one of the users who need to see everything.
Here is an example of how you can modify the security predicate for the "Executive" role:
[Executive Email]= userprincipalname() OR [Email]= "<specific email of the user who needs to see everything>"
Note: Replace <specific email of the user who needs to see everything> with the actual email of the user who needs to see everything. You can do the same for other roles as well.
By modifying the security predicates in this way, you can ensure that the desired users can see everything while still using RLS to restrict access to the other users.
Hi @jaweher899
Thank you for your response. As I mentioned in my request, I have already created "AllRole" with no RLS i.e 1=1but it seems to apply the 1=1 for all users and show everything to executives, Head of , etc without checking username.
Basically, if the login user is not in the User Hierarchy table then he should see everything.
What's not exactly working please? May be you've some users exist in more than one AD.
We have only 1 AD group with executives, Headof,SM, Specialist as well as admin users.
As the admin users are also members of the same AD group , the condition 1=1 overrides the other RLS filters and displays everything to other users.
Sales AD Group | |||||||||
User | Role | Exists in User Table | Executive | Head Of | SM | Specialist | AllRole | ||
A | a@sales.com | Executive | Y | [Executive Email]=userprincipalname() | TRUE | FALSE | FALSE | FALSE | TRUE |
B | b@sales.com | Head Of | Y | [Headof Email]=userprincipalname() | FALSE | TRUE | FALSE | FALSE | TRUE |
C | c@sales.com | SM | Y | [SM Email]=userprincipalname() | FALSE | FALSE | TRUE | FALSE | TRUE |
D | d@sales.com | Specialist | Y | [Email]=userprincipalname() | FALSE | FALSE | FALSE | TRUE | TRUE |
E | e@sales.com | AllRole | N | 1=1 | TRUE | TRUE | TRUE | TRUE | TRUE |
Starting December 3, join live sessions with database experts and the Fabric product team to learn just how easy it is to get started.
March 31 - April 2, 2025, in Las Vegas, Nevada. Use code MSCUST for a $150 discount! Early Bird pricing ends December 9th.
User | Count |
---|---|
39 | |
23 | |
21 | |
19 | |
10 |
User | Count |
---|---|
38 | |
36 | |
34 | |
20 | |
14 |