The ultimate Fabric, Power BI, SQL, and AI community-led learning event. Save €200 with code FABCOMM.
Get registeredCompete to become Power BI Data Viz World Champion! First round ends August 18th. Get started.
Hello!
I am looking to create row level security for two different sets of people. I have been told that managing permissions on the service itself is not the way the group wants to manage this, so I am doing it with USERPRINCIPALNAME within the model itself.
There are two groups of people.
Managers - Managers manage buildings. Within the model, this one is fine. If Manager X manages building 1, they only get to see data for building 1. I have the list of managers and the buildings that they are in charge of and the relationship is based off of that.
Corporate users - Corporate users should be able to see everything. I do not have a list of corporate users (although I can and probably will get one) There is no "tie" in the same way that managers are tied to buildings for me to use in relationships. This is where I'm not sure how to proceed. So I understand that for them I want no filters for them but I'm not sure how to go about doing that since my only RLS experience is the manager portion above where I'm creating a relationship and filtering based off of the relationship within the model.
Any insight or help would be greatly appreciated! Thank you
Solved! Go to Solution.
@Anonymous
If you create another role in PowerBi Desktop, one that does not have any filters, then you can add users to that role and they will be able to see all the data.
In order for RLS to work however, you must assign users to the role in the service. The best way to handle that is with Active Directory security groups. You assign the users to the security group and the security group to the role. That way, if you need to add new users to a role they can just be added to the security group.
Hey, I would go directly for dynamic RLS, using security tables, because it's the most scalable option, and scale is inevitable.
You are correct. The model decides how to filter based on the rules of the role the user is in. This does mean that a user that is not in any role will not be able to see any data at all. Just something to keep in mind. Also, the users cannot be members of the workspace in anything other than a reading role or RLS is not applied to them at all.
@Anonymous
If you create another role in PowerBi Desktop, one that does not have any filters, then you can add users to that role and they will be able to see all the data.
In order for RLS to work however, you must assign users to the role in the service. The best way to handle that is with Active Directory security groups. You assign the users to the security group and the security group to the role. That way, if you need to add new users to a role they can just be added to the security group.
Thank you for your reply, this is what I'm looking for!. So I would just have a "corporate" role assigned to whatever their security group is and then everyone within that group would be able to see everything, is that right?
I just want to make sure both of my bases are covered:
The dynamic RLS I'm using for managers would still work as well, correct?