Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

The Power BI Data Visualization World Championships is back! It's time to submit your entry. Live now!

Reply
tomas12344
Helper III
Helper III

Best practice for RLS

‎03-04-2022 04:04 AM

Hi 

My customer want to implement RLS to power bi, but we found out, that the RLS can be quite easy overriden. 

 

The power bi is set as follow:

- user (developer/report creator) log in to PBI wiht his/her credentials

- gateway to source system is set with technical user

- data from source system are loaded with import mode

 

problem is the following situation:

- A creator of a report, including a data set, uses his personal credentials during development in PBI Desktop - this means that he effectively has access to the data for which he is authorized in the source system (e.g. his cost centers). Now we must assume that this creator has not implemented any specific RLS. He then publishes the report, including the data set, in the PBI Service and now wants the data to be updated regularly

- In the PBI Service, as admin, we created a corresponding connection in the gateway and stored a technical user who has read authorization for all data in the source system (since we do not want a separate connection for each DB object)

- This connection is now stored in the data set in the service in order to update it regularly

- After the first refresh, according to our understanding, all data / cost centers are now visible in the report and the creator can now see them all (because the access rights of the technical user)

 

the question is, what is the best practice for using RLS in this case? How can they enable to self-create reports in PBI, update dataset, ... without the risk of missing RLS? Can they do this only with separate technical user and separate connections? What is the best practice to prevent import mode security from being bypassed?

 

Labels:
Message 1 of 5
1,834 Views
0
4 REPLIES 4
v-kkf-msft
Community Support
Community Support

‎03-08-2022 01:42 AM

Hi @tomas12344 ,

 

You can try setting up static or dynamic RLS in Desktop.

 

Static RLS means that you define the logic of security inside the Power BI file (PBIX), and for every change in the logic, you have to open the PBIX file, apply the change, save the file, and publish it again. 

Dynamic RLS means that you define the logic of security inside the data model (tables, their relationships, etc). For a change in the logic, you just need to add/edit/delete records in the tables.

 

So if there are fewer roles, please try static RLS. If you want less maintenance in the future, please use dynamic RLS.

 

Then publish reports to Service and assign roles to users, then they will only see the data they have access to. If these users are given Bulid permission for the dataset, they will be able to create new reports with the data that the RLS has been applied.


Please be careful not to give users the edit permission of the report, otherwise RLS won't work.

 

 

If the problem is still not resolved, please provide detailed error information or the expected result you expect. Let me know immediately, looking forward to your reply.
Best Regards,
Winniz
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

Message 3 of 5
1,751 Views
0
tomas12344
Helper III
Helper III
In response to v-kkf-msft

‎03-08-2022 02:02 AM

Thank you for the answer.
But i think nor static neither dynamic RLS will fully solve the situation. 
We need definetly the dynamic RLS, because the RLS conditions are stored in other system, and we are importing them to PBI.

I think the bigest problem is that the report creator must always defined the RLS (in desktop and in Service). That are two steps, that the creator must do, but how to force him/her to do it? Or later to automaticaly check(when the report is published, for example)?
The reprot creator will use his credential to import the data to PBI and then publish it to PBI service. In this case he/she should be limited by the source system to see/download only the data/rows, that he/she could see. Until the report creator is working with his credentials,  he will see only what he can see.
But in the PBI Service, the connection will be set on gateway with technical user(which has more rights then the user loged in). After the data in Service is refreshed, then all the data will be downloaded (becuase of the technical user), and who will open the report will see all the data, becuase the report creator do not implemented the RLS. How to avoid the situation with different access rights for technical user and report creator/business user, when the report creator have not implemented RLS?

Message 4 of 5
1,744 Views
0
lbendlin
Super User
Super User
In response to tomas12344

‎03-08-2022 03:59 AM

There are data sources like SSAS that can bring RLS with them when you access them from Power BI. In the gateway you can enable credentials passthrough.

Someone still has to do the work though. You are pushing it upstream.

Message 5 of 5
1,733 Views
lbendlin
Super User
Super User

‎03-05-2022 02:49 PM

There are two different brands of RLS.

Static RLS uses roles where you can assign users into.  These roles drive rules in your dimension tables that then restrict access for each role.

Dynamic RLS senses the user looking at the report (via USERPRINCIPALNAME()) and restricts access accordingly.

 

Both work well when implemented correctly.  Both require good planning, clean implementation, and ongoing maintenance.

 

Best practice for RLS is not to use RLS unless you really, really have to.

Message 2 of 5
1,773 Views
0

Helpful resources

Announcements
Power BI DataViz World Championships

Power BI Dataviz World Championships

The Power BI Data Visualization World Championships is back! It's time to submit your entry.

December 2025 Power BI Update Carousel

Power BI Monthly Update - December 2025

Check out the December 2025 Power BI Holiday Recap!

FabCon Atlanta 2026 carousel

FabCon Atlanta 2026

Join us at FabCon Atlanta, March 16-20, for the ultimate Fabric, Power BI, AI and SQL community-led event. Save $200 with code FABCOMM.

View All