Month: April 2019

What happens when a User has Multiple RLS Roles in Power BI?

Row-level security (RLS) in Power BI allows restricting what data users can see via boolean DAX expressions; this is done per dataset.  I never thought much about what it meant for a user to be assigned multiple roles until it came up in a meeting, in which I quickly declared “it would be the AND union of the conditions of each of the roles.”  One of the attendees, just as swiftly, responded that he thought it would be the most flexible combination, meaning an OR union of the conditions.  So which one is it?

To my surprise, I couldn’t find an article online that explained which one it was.

Let’s quickly review RLS.  The process to define RLS for a dataset is more or less as follows (for a full tutorial see

  1. A role is created in Power BI Desktop and defined by declaring one or more boolean DAX expressions against the dataset.  For example, Customers[Gender] = “M”.  This would restrict members of that role to see only male customers.   Moreover, that same role could have another expression associated with it, such as Geography[Country] = “Canada”.  The conditions are AND-ed and members of the role would be able to see only male Canadian customers.
  2. Additional roles are created in the same fashion, as necessary.
  3. The report is published to the Power BI Service.
  4. A user with permissions to the workspace accesses the dataset’s security page and assigns each intended user to one or more roles.

So what happens when a user is assigned to two roles?  Is the data filtered for the user by OR-ing the expressions of each role or by AND-ing the expressions of each role?  That is, is it

Role1Condition1 AND Role1Condition2 AND … )
OR ( Role2Condition1 AND Role2Condition2 AND … )

or is it

Role1Condition1 AND Role1Condition2 AND … )
AND ( Role2Condition1 AND Role2Condition2 AND … )

The answer is the first expression, the least restrictive.  See the attached Power BI report (Multiple Roles) if you want to experiment yourself with roles and sample data.

For real-world context, this came up when discussing how to secure a workspace and a dataset in light of 150 users and two roles: one with full access to the data and another with partial access to the data.  The 150 would split at about 5 for the first role and 145 for the second.  We needed to give access to the app to all 150 and then assign users to roles.  We were wondering how many AD security groups we needed to create and manage.

If the conditions for the roles were AND-ed as I initially thought, we were going to need one group for the 150 to access the app and another group for the 145 in the more restrictive role.  The 5 users for the “full” role would be entered individually.

However, if the conditions for the roles were OR-ed, as is the case, we would only need one group for the 150.  The partial role would have all 150 users and the 5 users for the “full” role would be entered individually.  The OR logic would automatically give full access to the 5.

P.S.  How do you define a role with full data access?  Just create the role but don’t add any DAX expressions for it.

Download the sample report here: Multiple Roles.

Please follow and like us:

Power BI: Resolving one case of “Access to the Resource is Forbidden”

Just last week while returning to work on a Power BI report I get this message when trying to refresh the data:

What the heck?  In Data Source Settings everything looked fine.  My report used a couple of OneDrive connections that looked OK, for example:

After a while of double-checking folder locations, file names, permissions, etc., I thought I would just try removing and reentering the credentials in the dialog above and voilà, problem solved.

Please follow and like us:

Power BI Best Practice: Use Parameters for Connection Information

This best practice is a simple corollary from a software engineering principle: never hard code values in code!  I am singling out connection information as in Power BI all work begins by connecting to one or more data sources.  You should always use parameters to refer to server addresses, database names, folder paths, and file names, for example.  For a tutorial on parameters see this article from Microsoft:

There are several benefits to this:

  • More readable code.  It’s easier to understand this M code:

    Source = Sql.Database ( #”QA Server”, #”CRM Database” )

    than this M code:

    Source = Sql.Database ( “333.444.55.66”, “DB459” )

  • Changes are easier to make.  If you have several queries against a database, for example, and the server address or the database name changes, then you only need to change parameter values, not each query’s code.  Consider a scenario in which you begin report development against data sources in a test environment.  When the time comes to test against the production environment it is more convenient to make the switch by editing parameter values.
  • Dependencies are explicit.  By just looking at parameter names and values you can tell what a report’s data source dependencies are.
  • Parameters can be changed in the Power BI service.  If connection information changes after publishing a report, parameters may be edited online in the dataset’s settings.  No need to republish the report.  Following a previous example, consider a situation in which you don’t have access to production data sources.  You may publish the report with the test environment’s parameter values and then edit the connection information after publication.  (For this to work the Power BI data gateway needs to have the production environment’s data sources defined.)

Please follow and like us:

Using Z-Order to “Hide” Visuals Targeted for Phone Layout in Power BI

One important but often overlooked design requirement for a report page
is whether it will be viewed in phones and not only in desktop devices. And even
when we are aware of such a requirement it might be a challenge to use visuals
that work well for both kinds of devices. This is because in Power BI the desktop
layout is the principal layout: the phone layout simply allows you to choose from the visuals already present and configured in the desktop layout. But sometimes we need visuals targeted for phone layout only.

Such a need may arise with “wide” visuals, such as a column chart with many categories in its X axis, a situation which I faced in a recent report that led me to write about this. The visual in question displays amounts by day number:

On a phone this visual will require heavy scrolling, which is quite inconvenient, as evidenced when viewed in phone layout:

A bar chart would be more suitable for a phone as there is “infinite” vertical space available.  In this image I chose to cap it at 24 days but could have gone the full 30:

So what to do?

Without layout independence one might think that an easy solution would be that a visual designed and configured specially for phone view might just be hidden (via the Selection Pane) in desktop layout and then selected in phone layout. However, while the visual may appear to be available when you switch to phone layout:

when you drag it onto the phone canvas it “disappears.”  This is what I see after dragging it to the top of the canvas:

My solution to this was to use the z-order setting for visuals to “hide” my phone visual behind the desktop visual (I also did this for a few other phone-only visuals):

The ideal situation would be to have more design independence on the phone layout rather than having to resort to such stratagems.

Please follow and like us: