This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(73.60000000000001, 87%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERC%3C/text%3E%3C/svg%3E)
Hi,
I am implementing a dynamic filter in roles that I have in my SSAS Tabular cube. I have a user that is in two different roles.
If I test my data using this user only in one role everything returns as expected, but if the user is in two different roles I get the following error.
The combination of active roles results in a dynamic security configuration that is currently not supported. Please contact the administrator of the database to resolve this issue. (Microsoft SQL Server 2017 Analysis Services)
I have rows security filters and object-level security filters.
This error appears to anyone? Anyone knows how to pass through this issue?
Thanks for all your help.
-- Ricardo Castro
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(272, 47%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDG%3C/text%3E%3C/svg%3E)
Sorry, I have to post this as another "answer" as apparently replies are limited to 1000 characters.
I understand what you mean, but, in my understanding, the potential exposure is there using one role or two roles.
No, it's not. The exposure is very different with multiple roles. The security filters within a single role are combined with a logical AND. Where as the security filters for multiple roles are always unioned together, effectively combined with a logical OR. This is not a problem if the roles are filtering the same table eg. Customer[Country] = "USA" and Customer[Country] = "France" - in that case you get the expected result. But it is very different if you have filters on different tables.
For example if you have 2 filters on different tables like:
If these are specified in one role then you will only see data where Customer[Marital Status] = "M" AND Product[Color] = "Red"
If these are specified in two roles you will see data where Customer[Marital Status] = "M" OR Product[Color] = "Red" so you will see other colors for married customers and you will see other marital statuses for red products.
Thanks for your help and I understand your answer.
But I believe that this problem occurs in the Multidimensional cubes where I can filter specific values in a table and an user can be added to several roles.
At least I do not remember add any problem with this on MD cubes.
There are some subtle differences between the security roles in Tabular and MD, but a similar issues exists in both. It's not a bug or anything like that, its just something you need to be aware of with the way security works when users are part of multiple roles.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(252.8, 9%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELY%3C/text%3E%3C/svg%3E)
Hi Ricardo,
It seems currently RLS and OLS are not supported to be used in combination.
You could vote one that product feedback, to asking for this feature in future.
Combination of OLS and RLS in SSAS Tabular
Regards,
Lukas
Hi @Lucas ,
I remove all OLS filters of the roles. Now I have to roles only with a Dynamic RLS filter, based on security tables from my SQL. If I add a member only to one of this roles I am able to see the correct data, but if I put in in both roles I get that same massage.
The only filter that I have right now if this:
='Dim Perfilagem'[Sk Perfilagem]=LOOKUPVALUE('Dim Seguranca Utilizador'[Sk Perfilagem], 'Dim Seguranca Utilizador'[Utilizador AD],USERNAME(), 'Dim Seguranca Utilizador'[Sk Perfilagem], 'Dim Perfilagem'[Sk Perfilagem])
And False to all Table that I do not want users to see data.
=FALSE()
Regards
When you are using dynamic RLS I believe you need to combine all of your security restrictions into the dynamic role. Doing it any other way potentially exposes too much information which is why this error is thrown.
Hi @Darren Gosbell ,
Thanks for your reply.
I have write the first filter (similar) in all my fact tables. Just a few dimensions table do not have any filter.
We are very concern with security, and we created several test users to add to the several group to analyse the behavior.
I understand what you mean, but, in my understanding, the potential exposure is there using one role or two roles.
Regards
Hi,
I think dgosbell's answer has also confirmed that this is obstacle. You could mark his post as answer if it helped.