Skip to main content
cancel
Showing results for 
Search instead for 
Did you mean: 

Register now to learn Fabric in free live sessions led by the best Microsoft experts. From Apr 16 to May 9, in English and Spanish.

Reply
than689
Frequent Visitor

SSAS Row-Level Security not working

Hello, I am stumped on this one so would really appreciate some help. We have a SSAS Tabular Model on an on-premise server which is used for Reports on the Power BI Service, with the appropriate gateway in place. I am trying to set up RLS but cannot seem to get it working, despite being able to get OLS working.

 

The below screenshot shows the RLS I have set up for the role 'RLS Test 53030' in the SSAS model:

than689_0-1688065386721.png

When I transfer an existing user from a standard 'all access' role to this RLS role, deploy changes to the SSAS model and refresh the Power BI Dataset (which hosts the SSAS live connection), they can still see all rows. We have tested this in PBI Service and via Excel connecting to SSAS, with the same result. I know that above-viewer permissions on the workspace would remove RLS for that user, but they are not a member of the host workspace at all. It is a premium workspace. 

 

At the same time, changing this role's permissions from 'Read' to 'None' does work, blocking the user from seeing any data (and I believe this also confirms the user is not a member of another role)

At the same time, adding OLS to this role (under the 'Tables and Columns' tab above) does work, hiding the selected tables/columns from the user. Only when I try adding RLS is there no effect, yet this is the feature actually needed.

 

This RLS is very important in this solution design, so I would be very grateful for suggestions! Thanks.

2 REPLIES 2
than689
Frequent Visitor

It seems this issue may have stumped the forum as well as myself! A MS support ticket may be in order.

Update: For anyone in the future who happens to have this exact problem, the solution was to remove the users from ALL other roles in the data model, including roles which have been de-activated or set to 'no access'. Membership of such a role, even if set to 'no access' at an overall level, can override RLS in any other active or non-active role the user is a member of. This is in contrast to OLS, where membership of a deactivated or 'no access' role does not appear to override OLS in an active role.

Helpful resources

Announcements
Microsoft Fabric Learn Together

Microsoft Fabric Learn Together

Covering the world! 9:00-10:30 AM Sydney, 4:00-5:30 PM CET (Paris/Berlin), 7:00-8:30 PM Mexico City

PBI_APRIL_CAROUSEL1

Power BI Monthly Update - April 2024

Check out the April 2024 Power BI update to learn about new features.

April Fabric Community Update

Fabric Community Update - April 2024

Find out what's new and trending in the Fabric Community.

Top Solution Authors
Top Kudoed Authors