Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Enhance your career with this limited time 50% discount on Fabric and Power BI exams. Ends August 31st. Request your voucher.

Reply
KevinColes
Helper III
Helper III

Row Level Security doesn't work with e-mail aliases

‎10-08-2020 07:50 AM

Hi experts,

 

I have set up a report that uses Row Level Security and roles that filter on the user's login using the USERPRINCIPALNAME() function. In Power BI Desktop it is functioning as expected and I can test as various users under the one role I have set up so far and I've had no issues. 

 

When I published to the Service and setup the security and added users to the roles it didn't seem to work and then after some searching I found out that RLS works only works on View Only roles, so I changed that and still got weird behaviour. No filtering occurred at all when I viewed as a user and my "Logged in as: person@domain.com" measure I created wasn't changing from my login.

 

I then discovered by way of trying a few different users, that only specific users weren't working and that some did work exactly as I would expect. All of the non-working ones had legacy logins in the form of "firstname@domain.com", while the majority of the users had e-mails/logins in the form of firstinitiallastname@domain.com.

 

I spoke to IT and they confirmed that these are legacy users who originally had just firstname e-mails and they're now aliased to the first intial/last name addresses. 

 

I was able to adjust my query to pull those users into my Employee table in the legacy format. When I try testing as them in the Service, the auofill picks them up in the same format, but the filtering doesn't work. 

 

I have tried using their proper e-mail format as well, but in the service you cannot select that format for testing (or for adding to security roles, etc.) 

I am meeting with the IT group today to look into their accounts (as I don't have access) but I'm wondering if anyone else has come across this issue. I know they will not want to start changing these accounts (there's probably 25 or so), so I need to find a way to make them work.

 

Thanks in advance!

 

Kevin Coles

Labels:
Message 1 of 6
1,338 Views
0
5 REPLIES 5
KevinColes
Helper III
Helper III

‎10-08-2020 10:51 AM

So I did a bit more testing on this with IT and it seems the legacy logins are not all the same. Some would filter my "Logged in user:" measure correctly however it would filter the records completely instead of having it unfiltered altogether.

 

I can't help but think that the simplest solution would be to build my RLS role filter in such a way that it looks for a match on either of two columns: Email and LegacyEmail (which I will create). So evey employee would have a standard e-mail and some would have a Legacy one. 

 

My current filter is like this:

KevinColes_0-1602179368338.png

 

Here I filter my Project table where the ProjMgr (numeric for EmployeeID) matches the EmployeeID in my Employee table where the Email field matches the logged in user. Can anyone help me add some OR logic to this so that it looks for a LegacyEmail first and if doesn't find one, defaults to the Email field?


Thanks,

 

Message 2 of 6
1,294 Views
0
GilbertQ
Super User
Super User
In response to KevinColes

‎10-08-2020 03:21 PM
Hi there

One other solution I would think of is in Power Query, where you know which of those 25 accounts are different to use a conditional column and where it is one of those accounts use the legacy email address or keep it as the current email address.

By doing it in this way you will not have to create a complex DAX measure to try and find the right value?

The right email addresses will all be in one column.




Did I answer your question? Mark my post as a solution!

Proud to be a Super User!







Power BI Blog

Message 3 of 6
1,279 Views
0
KevinColes
Helper III
Helper III
In response to GilbertQ

‎10-08-2020 03:30 PM

Hi @GilbertQ 

 

I am already doing as you suggest... my data is coming from an ERP system and the users standardized (jdoe@) email is in there and I have set up a separate table of legacy users.....in my query I do a case statement whereby if a legacy e-mail exists, use it, otherwise use the e-mail.

 

This is not the issue because I have tried this both ways - passing the legacy e-mail and the standard version. The issue is in the Service because I have tried testing using View As some of the legacy users and I know they are using the legacy e-mail that matches what the Service is pulling. I think what is happening though is that on those users, their Primary Email address is jdoe@ even though the service autofills to joe@. 

 

Any user with a Standard e-mail works.....legacy do not. 

Thanks,


Kevin

 

 

 
Message 4 of 6
1,277 Views
0
GilbertQ
Super User
Super User
In response to KevinColes

‎10-08-2020 03:34 PM
I would then chat to IT to see what they can do to resolve the issue.

I would imagine that all the emails should be the same throughout the company?

And that would then solve your issue!




Did I answer your question? Mark my post as a solution!

Proud to be a Super User!







Power BI Blog

Message 5 of 6
1,274 Views
0
KevinColes
Helper III
Helper III
In response to GilbertQ

‎10-08-2020 03:41 PM

In a perfect world yes...but it's my client not my company so I can't really dictate. Also the users are accustomed to the format they have so I'm not sure the appetite is there to change it now. 

 

Kevin

Message 6 of 6
1,271 Views
0

Helpful resources

Announcements
August Power BI Update Carousel

Power BI Monthly Update - August 2025

Check out the August 2025 Power BI update to learn about new features.

August 2025 community update carousel

Fabric Community Update - August 2025

Find out what's new and trending in the Fabric community.

View All