Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Don't miss out! 2025 Microsoft Fabric Community Conference, March 31 - April 2, Las Vegas, Nevada. Use code MSCUST for a $150 discount. Prices go up February 11th. Register now.

Reply
Rajnish366
Frequent Visitor

What if a user is common in dynamic RLS report across two roles

‎01-16-2025 10:20 AM

Q 1. In my Dynamic RLS PBI report few users are common across two roles (being part of two different group added in Role 1 and Role 2 as super user) what will happen in this case. which role will be effective? 

Q 2. Pls suggest the impact of Bi-directional (security applied at both side) many to one relation in a Dynamic RLS reoprt.

Labels:
Message 1 of 5
191 Views
0
1 ACCEPTED SOLUTION
v-aatheeque
Community Support
Community Support
In response to Rajnish366

‎01-21-2025 01:52 AM

Hi @Rajnish366 
Thanks for reaching out to Microsoft Fabric Community Forum.

1.This is likely a role based on the UserPrincipalName() DAX function, which is commonly used to assign permissions to users based on their email addresses or usernames.
2.This role is based on a condition where a DAX expression evaluates to True() for users who meet a specific condition (in this case, users who belong to certain Active Directory groups).

 

3.when multiple roles are assigned to a user, the most restrictive role generally takes precedence.

 

  • If both roles apply to a user, the system will apply both sets of filters together unless there's an explicit conflict (such as one role restricting a value while another allows it).
  • If the "Super Users" role is set up with broader access (e.g., True() condition for certain users), it may override or provide broader access than the "Email" role, depending on the conditions of the "Email" role.

Addtionally For  the UserprincipalName() function, you can refer to :
DAX USERPRINCIPALNAME - Use in RLS - Power BI Docs

And for how dynamic rls sample model , you can refer to :
Dynamic Row Level Security with Power BI Made Simple - RADACAD

If this post was helpful, please consider marking Accept as solution to assist other members in finding it more easily.

If you continue to face issues, feel free to reach out to us for further assistance!



View solution in original post

Message 5 of 5
84 Views
4 REPLIES 4
GilbertQ
Super User
Super User

‎01-16-2025 03:12 PM

Hi @Rajnish366 

 

Power BI uses the niece restrictive security model. So what that means is if a user belongs to two roles, but we'll get a combination of access to both of those RLS Roles which could lead to the user seeing more data than what they should see. With regards to question two using the bidirectional work as expected only when using row level security.





Did I answer your question? Mark my post as a solution!

Proud to be a Super User!







Power BI Blog

Message 2 of 5
158 Views
0
v-aatheeque
Community Support
Community Support
In response to GilbertQ

‎01-19-2025 10:19 PM

Hi @Rajnish366 

 We haven’t heard from you on the last response and was just checking If the answer posted  by @GilbertQ  was helpful, please consider marking Accept as solution to assist other members in finding it more easily.

If you continue to face issues, feel free to reach out to us for further assistance!

Message 3 of 5
121 Views
0
Rajnish366
Frequent Visitor
In response to v-aatheeque

‎01-20-2025 11:15 PM

Hi @GilbertQ,

In my model i have created two role 1. Email = Userprinciplename ()  2. Super users where dax is only True ().
Few users are part common member of AD groups which i added in both  roles. 
My question is which role will dominate here in this case. 
Thanks for your time.

Message 4 of 5
97 Views
0
v-aatheeque
Community Support
Community Support
In response to Rajnish366

‎01-21-2025 01:52 AM

Hi @Rajnish366 
Thanks for reaching out to Microsoft Fabric Community Forum.

1.This is likely a role based on the UserPrincipalName() DAX function, which is commonly used to assign permissions to users based on their email addresses or usernames.
2.This role is based on a condition where a DAX expression evaluates to True() for users who meet a specific condition (in this case, users who belong to certain Active Directory groups).

 

3.when multiple roles are assigned to a user, the most restrictive role generally takes precedence.

 

  • If both roles apply to a user, the system will apply both sets of filters together unless there's an explicit conflict (such as one role restricting a value while another allows it).
  • If the "Super Users" role is set up with broader access (e.g., True() condition for certain users), it may override or provide broader access than the "Email" role, depending on the conditions of the "Email" role.

Addtionally For  the UserprincipalName() function, you can refer to :
DAX USERPRINCIPALNAME - Use in RLS - Power BI Docs

And for how dynamic rls sample model , you can refer to :
Dynamic Row Level Security with Power BI Made Simple - RADACAD

If this post was helpful, please consider marking Accept as solution to assist other members in finding it more easily.

If you continue to face issues, feel free to reach out to us for further assistance!



Message 5 of 5
85 Views

Helpful resources

Announcements
Las Vegas 2025

Join us at the Microsoft Fabric Community Conference

March 31 - April 2, 2025, in Las Vegas, Nevada. Use code MSCUST for a $150 discount!

Jan25PBI_Carousel

Power BI Monthly Update - January 2025

Check out the January 2025 Power BI update to learn about new features in Reporting, Modeling, and Data Connectivity.

Jan NL Carousel

Fabric Community Update - January 2025

Find out what's new and trending in the Fabric community.

View All