Hello,
I had a question, I have a users as level 1 in the RLS file. However, for email groups, the user is in both a level 1 email group as well as level 2 email group. When I only have the level 1 email group added in security and share it with level 1 email group, he can only see data for the building he is working for. However, whenever, I give access to the level 2 email group, that user starts getting access to everything. Is there a way around this? How would I resolve this issue?
The RLS works on the additive principal. Meaning, if a user have all the levels of permission then he/she will be able to see the rows with regards to highest level of permission applied. This is by design and it follows the “least restrictive” model.
So if the ask is for a user to have level 2 permission then, I would go the route of removing that user from level 1 security group and just keeping them in level 2. Because it will defeat the purpose of having this user in level 1.
Hope this helps
Regards
A
Thank you for your response. However, I guess I am trying to understand how PowerBI is doing this. So for example, I have the user in level 1 tied to his employees only. So if I give him level one then he would only be able to see his employees.
Level 2 users have access to all the employees within their designated building. Thus, the max permission this user can get, according to my understanding would be building-wide access.
However, since the user is in both email groups used for level 1 and level 2, PowerBI is giving him access to all employees in all of the building. I looked for him in other email groups and he is not there.I guess I am not understanding what could be doing this.
based on what you described, you are unable to see the “user” in the security group for level 2? What I understood from above is that for example let us take following scenario,
SG1 – security group 1
SG2 – security group 2
Now assume we have three employees,
Sam, Brian and Ansh
Sam is the boss so let is add him to SG1
Brian is in SG2
Ansh - regular employee with no manager level access,
Ideally, the RLS is provided to a username and in the Power BI Service we will specify which security group to add and apply this RLS to.
So if we add SG1, then only Sam will be able to see the data, and if we add SG2 then even Brian will be able to see the data.
If the combination is applied, SG1 and the user Brian then Brian will still be able to see all the data and Brian will not be a part of SG1.
Based on your original ask, “I had a question, I have a users as level 1 in the RLS file. However, for email groups, the user is in both a level 1 email group as well as level 2 email group.” the logic is as mentioned in my previous reply.
However there is another unique scenario where an employee is not part of the SG but has been added explicitly to the RLS (explained in this post above)
Hope this clarifies 
Hi @supergallagher25, did the response provided by @AnshP help you solve your query? If not, how far did you get and what kind of help you need further? If yes, kindly mark as solution the answer that solved your query. Thanks!
Hi @supergallagher25, we’ve noticed that no response has been received from you since the 19th of February. We just want to check if you still need further help with this post? In case there won’t be any activity on it in the next few days, we’ll be tagging this post as Solved.
We’ve recently launched the Enterprise DNA Forum User Experience Survey, please feel free to answer it and give your insights on how we can further improve the Support forum. Thanks!
Hi @supergallagher25, a response on this post has been tagged as “Solution”. If you have a follow question or concern related to this topic, please remove the Solution tag first by clicking the three dots beside Reply and then untick the check box.