Skip to main content
cancel
Showing results for 
Search instead for 
Did you mean: 

Grow your Fabric skills and prepare for the DP-600 certification exam by completing the latest Microsoft Fabric challenge.

Reply
AndriyK
Helper I
Helper I

issues with dynamic RLS in Power BI service with connection live to a local SSAS tabular

hello,

 

we are using Power BI reports published to Power BI Service with connection to the local tabular SSAS databases.

i'm trying to congifure dynamic security using SSAS roles and USERPRINCIPALNAME() functions. to do that i created the security Roles in the local SSAS, set the roles to filter records using USERPRINCIPALNAME().
evything works fine and Roles fiter the records as expected.

But, when i remove the user from the security Role on the local SSAS, the user still having an access to the data the same way he had when was added to the Role. 

 

after removing the test user from the security role, i've tried to:  log out the test user and log back, refresh the dataset in Power BI service, republish the app, remove user from the app and add user back.

but the test user is still keeping the access to data.

 

looks like test user has the assigned RLS access even when i have deleted the user from the local Security Role.

if i delete the security Role completely or restart ssas services on local server, the the test user access is removed. 

 

so, i have to delete the local security Role in SSAS or restart SSAS services to remove user access.

 

could you please let me know what can i check to fix it.

 

UPDATE:

looks like it is working, but it takes about 30 minutes to propagate the changes after the user is removed from the security role in ssas.

does it have to take so long?

 

thank you,

Andriy

 

before adding the test user to the role:

2023-09-12_16-13-03.png

Role settings in SSAS

2023-09-12_16-16-51.png

2023-09-12_16-15-30.png

 

access when added to the role:

2023-09-12_16-18-03.png

removed the user from the role:

2023-09-12_16-21-01.png

still has access when removed from the role, before restarting SSAS or deleting the Role

 

2023-09-12_16-18-03.png

after SSAS restart or role deletion:

2023-09-12_16-13-03.png

 

2 REPLIES 2
GilbertQ
Super User
Super User

Hi @AndriyK 

 

The reason it can take up to 30 mins for changes to take effect is because things in the cloud need time to propegate and that is how it generally works.

 

For the connections your data source connection to the local SSAS instance has to have the Admin permissions. And then when the users connect they then will use their USERPRINCIPALNAME()





Did I answer your question? Mark my post as a solution!

Proud to be a Super User!







Power BI Blog

hi @GilbertQ 
thanks for your reply!

sorry for the delay with response, somehow i didn't get notification about your message.

 

if we talk about propagation and that it takes time:
when i add the user to the ssas Role, the changes are propagated right away.

but when i remove it, it take 30 min to propagate.

it is a bit strange in my opinion.

 

thanks,

Andriy 

Helpful resources

Announcements
Europe Fabric Conference

Europe’s largest Microsoft Fabric Community Conference

Join the community in Stockholm for expert Microsoft Fabric learning including a very exciting keynote from Arun Ulag, Corporate Vice President, Azure Data.

RTI Forums Carousel3

New forum boards available in Real-Time Intelligence.

Ask questions in Eventhouse and KQL, Eventstream, and Reflex.

Top Solution Authors