Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Power BI is turning 10! Let’s celebrate together with dataviz contests, interactive sessions, and giveaways. Register now.

Reply
db042190
Post Prodigy
Post Prodigy

rls and pbi, the engine and ssas

‎05-12-2025 06:04 AM

Hi, i have to include a couple of questions here because of the nature of this challenge.   We run sql server 2019 std.   My understanding is that even 2019 std has an rls feature.  

 

we want added security on the related "cost"   portion of our fact sales record.   But best practices years ago always said "keep facts with the same granularity on the same fact record".

 

we have a sales cube which sources excel pivots and pbi dashboards/reports.  we have the same structure in our sales data warehouse (sql 2019 std) which also sources pivots and pbi dashboards/reports.    and its been years but i recall studying rls as a pbi feature too.  we are limited to pro licenses so i dont know if it applies.  BUT as i recall rls is an easily "rolled your own" behavior using some simple dax in pbi.

 

so ...1) is there a column level security feature or concept anywhere in these products or as a "roll you own", 2) i think im going to get a proposal soon that we split up the cost column (to a different record) from the revenue in order to achieve rls on cost and am wondering what the community thinks about this, when/if we move to a non expiring account (service principal) in pbi, how will pbi know with which acct the user went into pbi so rls can be applied correctly?

 

some additional notes: 

-we are looking at going to azure with ssas, ie severing it completely from the engine (sql , ssis, ssrs).   but not immediately.

-one of my peers believes that if the context of a pivot is high enough in pbi or excel where 1 or move division's costs purposely not included, we should tell our users that the measure isnt always right.   I disagree with this.

 

 

Labels:
Message 1 of 8
451 Views
0
1 ACCEPTED SOLUTION
R1k91
Super User
Super User
In response to stanteitelbaum

‎05-28-2025 10:20 AM

RLS and OLS works thanks to the "impersonation".

if a user access a power bi semantic model, the UserPrincipalName (UPN) of the user that is accessing the portal is passed to the model and it's visible in the USERPRINCIPALNAME() dax function.

 

if the user accesses a SSAS model it depends on the setting at gateway level:

- you can pass the effective UPN 

- you can map the UPN to something different 

- you can use custom data

 

Manage SQL Server Analysis Services data sources - Power BI | Microsoft Learn


--
Riccardo Perico
BI Architect @ Lucient Italia

Blog | GitHub

If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

View solution in original post

Message 6 of 8
245 Views
7 REPLIES 7
v-sathmakuri
Community Support
Community Support

‎05-27-2025 01:34 AM

Hi @db042190 ,

 

Could you please provide more details so that we can help in addressing the issue.

 

Thank you!!

Message 8 of 8
292 Views
0
R1k91
Super User
Super User

‎05-12-2025 07:33 AM

I'm not sure I got 100% your question(s).

 

First of all if your SSAS has a compatiblity level over 1400 you've both RLS and OLS and it's valid for Power BI models too. PRO licenses can work with no issues with both.

 

RLS and OLS can be implemented in SQL Server database too.

 

the problem I see is that you have reports that read directly from DWH and in this case you should implement RLS and OLS in both Semantic Models and SQL Server databases that is double work to maintain.

 

 


--
Riccardo Perico
BI Architect @ Lucient Italia

Blog | GitHub

If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.
Message 2 of 8
424 Views
0
db042190
Post Prodigy
Post Prodigy
In response to R1k91

‎05-12-2025 01:05 PM

thx ricardo, i was afraid we'd be doing double (maybe triple pbi, engine, ssas) the work...

-is ols "object level "and can that be applied to a column or is min level of ols a table object?

-also if we implement service principal, how would pbi know who the current user is?

Message 3 of 8
407 Views
0
R1k91
Super User
Super User
In response to db042190

‎05-12-2025 03:49 PM

Ols in power bi/ssas can be applied at column and table level. Can you describe in which context you use service principal? 


--
Riccardo Perico
BI Architect @ Lucient Italia

Blog | GitHub

If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.
Message 4 of 8
386 Views
0
stanteitelbaum
Regular Visitor
In response to R1k91

‎05-28-2025 07:42 AM

hi R1K91.  sorry for the delay.  acct db042190's authenticator doesnt trigger anymore after the old phone (12 mini) was replaced (16e) and after EVERYTHING imaginable was attempted to correct the issue.   A ticket has been opened but MS's promise by Praveen to address the issue on the 22nd was broken.  I may open a better business bureau complaint.   i posted the issue in this forum's issue sub forum too.

 

By  service principal db042190 means a non expiring id.  its here that the idea 1st materialized https://community.fabric.microsoft.com/t5/Service/using-a-non-expiring-id-without-giving-pswd-away/m... 
 for us.   if a non expiring id (servce principal) is the "proxy" by which a dataset is refreshed daily and the report runs, how can pbi know that at the engine or ssas level (source) , the user who came in to run the dashboard or report is restricted at the table or column level?

Message 5 of 8
259 Views
0
R1k91
Super User
Super User
In response to stanteitelbaum

‎05-28-2025 10:20 AM

RLS and OLS works thanks to the "impersonation".

if a user access a power bi semantic model, the UserPrincipalName (UPN) of the user that is accessing the portal is passed to the model and it's visible in the USERPRINCIPALNAME() dax function.

 

if the user accesses a SSAS model it depends on the setting at gateway level:

- you can pass the effective UPN 

- you can map the UPN to something different 

- you can use custom data

 

Manage SQL Server Analysis Services data sources - Power BI | Microsoft Learn


--
Riccardo Perico
BI Architect @ Lucient Italia

Blog | GitHub

If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.
Message 6 of 8
246 Views
stanteitelbaum
Regular Visitor
In response to R1k91

‎05-28-2025 10:39 AM

thx, unfortunately i cant mark your post as an answer because MS has me tied up.   but it is more than acceptable as an answer.

Message 7 of 8
240 Views
0

Helpful resources

Announcements
June 2025 Power BI Update Carousel

Power BI Monthly Update - June 2025

Check out the June 2025 Power BI update to learn about new features.

June 2025 community update carousel

Fabric Community Update - June 2025

Find out what's new and trending in the Fabric community.

View All