AD Group deleted when deploying dataset to workspace

[ingthu]

Hi!

When deploying the dataset then the AD group (for Row-Level Security) that exists in workspace is deleted. It would be good if the AD group can be kept even if you deploy.

I am using the 1.0.0-rc.2+preview.4 Hotfix Release

[mthierba]

That's a known limitation in the latest preview - all role members are currently reset when deploying. This will be fixed in the next release, expected before the end of August. An immediate workaround would be to declare the groups and users for each role in the TMSL sources.

[ingthu]

Thanks for your response!

[bcdobbs]

Is there an update on this? TMDL doesn't currently serialise role members so would like to be able to deploy without over writing role membership. Do you know if serialisation of role membership is on the road map for TMDL? Many thanks Ben

[mthierba]

Support for role members is coming in preview 2 or 3 of TMDL.

[PHPirates]

Since it isn't fixed yet, here is more detail about the workaround:

• If starting from pbix/pbit, generate TMSL instead of TMDL, for example using pbi-tools extract -modelSerialization Legacy
• Following https://learn.microsoft.com/en-us/analysis-services/tmsl/roles-object-tmsl define for example an AD user role member by editing the Model/database.json file to get:

    "roles": [
      {
        "name": "Internet Sales Global",
        "description": "All users can query model data",
        "modelPermission": "read",
        "members": [
          {
            "memberName": "[email protected]",
            "identityProvider": "AzureAD"
          },
          {
            "memberName": "obj:group-id@tenant-id",
            "identityProvider": "AzureAD"
          }
        ],
        "tablePermissions": [
          // ...
        ]
      }
    ],