cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Fabric is Generally Available. Browse Fabric Presentations. Work towards your Fabric certification with the Cloud Skills Challenge.

Reply
AndriyK
Helper I
Helper I

issues with dynamic RLS in Power BI service with connection live to a local SSAS tabular

‎09-13-2023 05:56 AM

hello,

 

we are using Power BI reports published to Power BI Service with connection to the local tabular SSAS databases.

i'm trying to congifure dynamic security using SSAS roles and USERPRINCIPALNAME() functions. to do that i created the security Roles in the local SSAS, set the roles to filter records using USERPRINCIPALNAME().
evything works fine and Roles fiter the records as expected.

But, when i remove the user from the security Role on the local SSAS, the user still having an access to the data the same way he had when was added to the Role. 

 

after removing the test user from the security role, i've tried to:  log out the test user and log back, refresh the dataset in Power BI service, republish the app, remove user from the app and add user back.

but the test user is still keeping the access to data.

 

looks like test user has the assigned RLS access even when i have deleted the user from the local Security Role.

if i delete the security Role completely or restart ssas services on local server, the the test user access is removed. 

 

so, i have to delete the local security Role in SSAS or restart SSAS services to remove user access.

 

could you please let me know what can i check to fix it.

 

UPDATE:

looks like it is working, but it takes about 30 minutes to propagate the changes after the user is removed from the security role in ssas.

does it have to take so long?

 

thank you,

Andriy

 

before adding the test user to the role:

2023-09-12_16-13-03.png

Role settings in SSAS

2023-09-12_16-16-51.png

2023-09-12_16-15-30.png

 

access when added to the role:

2023-09-12_16-18-03.png

removed the user from the role:

2023-09-12_16-21-01.png

still has access when removed from the role, before restarting SSAS or deleting the Role

 

2023-09-12_16-18-03.png

after SSAS restart or role deletion:

2023-09-12_16-13-03.png

 

Labels:
Message 1 of 3
126 Views
0
2 REPLIES 2
GilbertQ
Super User
Super User

‎09-13-2023 02:50 PM

Hi @AndriyK 

 

The reason it can take up to 30 mins for changes to take effect is because things in the cloud need time to propegate and that is how it generally works.

 

For the connections your data source connection to the local SSAS instance has to have the Admin permissions. And then when the users connect they then will use their USERPRINCIPALNAME()





Did I answer your question? Mark my post as a solution!

Proud to be a Super User!







Power BI Blog

Message 2 of 3
97 Views
0
AndriyK
Helper I
Helper I
In response to GilbertQ

‎09-19-2023 05:20 AM

hi @GilbertQ 
thanks for your reply!

sorry for the delay with response, somehow i didn't get notification about your message.

 

if we talk about propagation and that it takes time:
when i add the user to the ssas Role, the changes are propagated right away.

but when i remove it, it take 30 min to propagate.

it is a bit strange in my opinion.

 

thanks,

Andriy 

Message 3 of 3
61 Views
0

Helpful resources

Announcements
PBI November 2023 Update Carousel

Power BI Monthly Update - November 2023

Check out the November 2023 Power BI update to learn about new features.

Community News

Fabric Community News unified experience

Read the latest Fabric Community announcements, including updates on Power BI, Synapse, Data Factory and Data Activator.

Power BI Fabric Summit Carousel

The largest Power BI and Fabric virtual conference

130+ sessions, 130+ speakers, Product managers, MVPs, and experts. All about Power BI and Fabric. Attend online or watch the recordings.

View All
Top Solution Authors
View All
Top Kudoed Authors
View All