Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

The Power BI Data Visualization World Championships is back! Get ahead of the game and start preparing now! Learn more

Reply
CoreyP
Solution Sage
Solution Sage

Tips/Ideas/Best Practices for Enterprise Level RLS

‎10-25-2023 08:18 PM

Hey All,

 

I was hoping to get some ideas from anyone with experience setting up RLS in an enterprise level organization. We have many different employees from all over the world working in different capacities. A requirement has been given that leadership would like to implement some dynamic RLS to restrict data to what the person viewing is allowed to see. 

 

To simplify this, I'm going to use roles and corresponding AAD security groups. What I'm thinking about now is the best way to 1. minimize the number of different roles and 2. manage the access rules of the roles. Ideally, the roles and access rules would be stored in our HR system of record and managed by HR. However, that will take time and a bit of effort. Until then, I'm hoping to construct a working POC model we can hopefully use when we're able to productionize in the HR system. 

 

I would like the stakeholders of the report(s) to own management of the access rules to alleviate the burden on the DnA team. Right now, what I'm thinking is having a roles and access rules dimension stored in Sharepoint. I can then use this in the model to determine what fields a particular role filters on, and assign accordingly to the AAD security group. ( Speaking of.. has anyone connected AAD data to PBI? Like user profiles or group membership type data..? )

 

Am I thinking about setting this up in the right way? Have you faced a similar challenge, and how did you end up doing it? Do you have any tips, tricks, recommendations, resources or links?

 

Thanks everyone

Message 1 of 4
588 Views
0
1 ACCEPTED SOLUTION
christinepayton
Super User
Super User

‎10-26-2023 08:56 AM

My lowest-maintenance method for RLS is to use the organizational hierarchy - so who reports to who - to filter the data. So the CEO can see everything, leadership can see things for everyone under them, managers can see their direct reports, and individual contributors can see only their own data. It's really easy to set this up if you have a source for the reports-to information - I did a tutorial here, it uses a single "role": https://youtu.be/Z0eeTTL7EhQ?si=_RCmATxfPgVAhzwW

 

I like to avoid manually-set roles wherever possible, they are just a nightmare to try to manage in a large org... if it's a requirement, then you have to do what you have to do - security groups help there to outsource the membership management, but using some attributes that already exist in your data is the easiest way to go in my opinion. 

View solution in original post

Message 4 of 4
540 Views
0
3 REPLIES 3
christinepayton
Super User
Super User

‎10-26-2023 08:56 AM

My lowest-maintenance method for RLS is to use the organizational hierarchy - so who reports to who - to filter the data. So the CEO can see everything, leadership can see things for everyone under them, managers can see their direct reports, and individual contributors can see only their own data. It's really easy to set this up if you have a source for the reports-to information - I did a tutorial here, it uses a single "role": https://youtu.be/Z0eeTTL7EhQ?si=_RCmATxfPgVAhzwW

 

I like to avoid manually-set roles wherever possible, they are just a nightmare to try to manage in a large org... if it's a requirement, then you have to do what you have to do - security groups help there to outsource the membership management, but using some attributes that already exist in your data is the easiest way to go in my opinion. 

Message 4 of 4
541 Views
0
amitchandak
Super User
Super User

‎10-25-2023 08:40 PM

@CoreyP , Email enabled AAD security group needs to be assigned to a role created in Power BI Desktop.

The role needs to be defined based on email/userprincipalname

 

Power BI- Row Level Security(RLS): Handle ALL, UserPrincipalName: https://youtu.be/KVLEnIUo4pc

Share with Power BI Enthusiasts: Full Power BI Video (20 Hours) YouTube
Microsoft Fabric Series 60+ Videos YouTube
Microsoft Fabric Hindi End to End YouTube
Message 2 of 4
574 Views
0
CoreyP
Solution Sage
Solution Sage
In response to amitchandak

‎10-25-2023 08:55 PM

Yeah, for sure. What I was hoping to do is have the stakeholder managed sharepoint list with something like this table. Then use that to assign the various roles to the rows of data to filter accordingly based on the UPN.

 

RoleAAD GroupFilter FieldsRestrictionParameters
VIPRLS - VIPRegionNo 
VIPRLS - VIPCustomerNo 
VIPRLS - VIPBranchNo 
VIPRLS - VIPMetricNo 
Sales RepRLS - Sales RepRegionYesUPN's region ( eg. AMER )
Sales RepRLS - Sales RepCustomerYesUPN's list of accounts
Sales RepRLS - Sales RepBranchNo 
Sales RepRLS - Sales RepMetricNo

 

Message 3 of 4
561 Views
0

Helpful resources

Announcements
Power BI DataViz World Championships

Power BI Dataviz World Championships

The Power BI Data Visualization World Championships is back! Get ahead of the game and start preparing now!

November Power BI Update Carousel

Power BI Monthly Update - November 2025

Check out the November 2025 Power BI update to learn about new features.

FabCon Atlanta 2026 carousel

FabCon Atlanta 2026

Join us at FabCon Atlanta, March 16-20, for the ultimate Fabric, Power BI, AI and SQL community-led event. Save $200 with code FABCOMM.

View All