Find everything you need to get certified on Fabric—skills challenges, live sessions, exam prep, role guidance, and more. Get started
Hi,
We are looking at rolling out Power BI and the desire is to have super users in seperate divisions building reports.
Development in Power BI Desktop - publish to cloud - enterprise gateway to on prem views in SQL Server (Pro licences for users).
We are currently using SSRS for reporting and security is handled within SSRS which prevents anyone in one division being able to access data for other divisions.
I have been searching for a while today and I do not seem to have identified how I can set up the security that will block the divisional report creators (super users) from accessing other divisions data.
If my understanding is correct RLS will only work for read-only users
I am not sure if this is possible but could I create divisional views with divisional data connections in the gateway and limit access to those conections?
Please can someone point me at some suggestions as to how to manage the security.
Any ideas or pointers greatfully received
Shaun
Solved! Go to Solution.
Hi @ShaunBrewer,
I don't believe I will have problems with read only users, my concern is with report creators in the seperate divisions, these staff should not have access to other divisions data. However I can't see a way to bock report creators once the access is via the gateway.
While these users are internal I can control access to the data by creating divisional views and limiting access to these veiws by AD groups. However I am concerned that once in the cloud and accessing data via the gateway this control is lost?
If you have set the limit permission in the database, then when the report creator fetches data from Power BI Desktop, it can only fetch the corresponding data. When you publish the report to PowerBi Service and configure the gateway. The permissions you have set in SQL Server will not be invalid, because the gateway just refreshes the data.
Best Regards,
Cherry
Hi @ShaunBrewer,
I have been searching for a while today and I do not seem to have identified how I can set up the security that will block the divisional report creators (super users) from accessing other divisions data.
If my understanding is correct RLS will only work for read-only users
I am not sure if this is possible but could I create divisional views with divisional data connections in the gateway and limit access to those conections?
Your understand should be right that If you publish your Power BI Desktop report to an app workspace within the Power BI service, the roles will be applied to read-only members.
For your scenario, we cannot create divisional views with divisional data connections in the gateway but we may create the view or table in the Database side and assign the access permission.
For reference about Power BI RLS, you could have a look at this article.
Best Regards,
Cherry
Sorry if this is a duplicate post - I am trying to reply but the post does not appear - slightly worried there is a delay and several duplicates will appear?
Hi Cherry,
thank you for your reply.
I have re-read the article you linked too, it was one I had looked at before posting, it is very useful.
I don't believe I will have problems with read only users, my concern is with report creators in the seperate divisions, these staff should not have access to other divisions data. However I can't see a way to bock report creators once the access is via the gateway.
While these users are internal I can control access to the data by creating divisional views and limiting access to these veiws by AD groups. However I am concerned that once in the cloud and accessing data via the gateway this control is lost?
Simplistically
In SQL Server
I can create views for each table and set read access via AD groups
e.g. vwTableA_D1
SELECT * FROM TableA WHERE Division = 1
Report creators in Division 1 will be in the Divsion 1 AD group with read access to vwTableAD1.
My understanding is while the report creator is using Power BI desktop to develop everything is fine, but what happens if they create reports in the cloud or amend reports created in the Desktop tool from the cloud? i.e. How do I stop a report creator in Divsion 1 accessing Division 2 views?
Thanks again and sorry if I am missing something.
Shaun
Hi @ShaunBrewer,
I don't believe I will have problems with read only users, my concern is with report creators in the seperate divisions, these staff should not have access to other divisions data. However I can't see a way to bock report creators once the access is via the gateway.
While these users are internal I can control access to the data by creating divisional views and limiting access to these veiws by AD groups. However I am concerned that once in the cloud and accessing data via the gateway this control is lost?
If you have set the limit permission in the database, then when the report creator fetches data from Power BI Desktop, it can only fetch the corresponding data. When you publish the report to PowerBi Service and configure the gateway. The permissions you have set in SQL Server will not be invalid, because the gateway just refreshes the data.
Best Regards,
Cherry
After experimenting this makes sense.
I had assumed you could develop reports in the cloud using the gateway as a power user, however it appears you can only develop the report with the Desktop tool and therefore permissions are handled normally not using the gateway credentials.
Thanks
Shaun
Check out the September 2024 Power BI update to learn about new features.
Learn from experts, get hands-on experience, and win awesome prizes.
User | Count |
---|---|
114 | |
95 | |
90 | |
35 | |
35 |
User | Count |
---|---|
154 | |
102 | |
82 | |
64 | |
54 |