Skip to main content
cancel
Showing results for 
Search instead for 
Did you mean: 

Earn a 50% discount on the DP-600 certification exam by completing the Fabric 30 Days to Learn It challenge.

Reply
than689
Frequent Visitor

SSAS Row-Level Security not working

Hello, I am stumped on this one so would really appreciate some help. We have a SSAS Tabular Model on an on-premise server which is used for Reports on the Power BI Service, with the appropriate gateway in place. I am trying to set up RLS but cannot seem to get it working, despite being able to get OLS working.

 

The below screenshot shows the RLS I have set up for the role 'RLS Test 53030' in the SSAS model:

than689_0-1688065386721.png

When I transfer an existing user from a standard 'all access' role to this RLS role, deploy changes to the SSAS model and refresh the Power BI Dataset (which hosts the SSAS live connection), they can still see all rows. We have tested this in PBI Service and via Excel connecting to SSAS, with the same result. I know that above-viewer permissions on the workspace would remove RLS for that user, but they are not a member of the host workspace at all. It is a premium workspace. 

 

At the same time, changing this role's permissions from 'Read' to 'None' does work, blocking the user from seeing any data (and I believe this also confirms the user is not a member of another role)

At the same time, adding OLS to this role (under the 'Tables and Columns' tab above) does work, hiding the selected tables/columns from the user. Only when I try adding RLS is there no effect, yet this is the feature actually needed.

 

This RLS is very important in this solution design, so I would be very grateful for suggestions! Thanks.

2 REPLIES 2
than689
Frequent Visitor

It seems this issue may have stumped the forum as well as myself! A MS support ticket may be in order.

Update: For anyone in the future who happens to have this exact problem, the solution was to remove the users from ALL other roles in the data model, including roles which have been de-activated or set to 'no access'. Membership of such a role, even if set to 'no access' at an overall level, can override RLS in any other active or non-active role the user is a member of. This is in contrast to OLS, where membership of a deactivated or 'no access' role does not appear to override OLS in an active role.

Helpful resources

Announcements
RTI Forums Carousel3

New forum boards available in Real-Time Intelligence.

Ask questions in Eventhouse and KQL, Eventstream, and Reflex.

MayPowerBICarousel

Power BI Monthly Update - May 2024

Check out the May 2024 Power BI update to learn about new features.

LearnSurvey

Fabric certifications survey

Certification feedback opportunity for the community.

Top Solution Authors
Top Kudoed Authors