Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Enhance your career with this limited time 50% discount on Fabric and Power BI exams. Ends August 31st. Request your voucher.

Reply
Anonymous
Not applicable

How to do Dynamic RLS in PowerBI without manually entering roles?

‎09-22-2020 02:27 PM

My company is trying to do Dynamic RLS for PowerBI Embedded on behalf of our customers, but I am running into some major roadblocks while trying to secure the data.  The requirements/steps of what we are doing are:

 

  • Create reports on behalf of our customers, who in turn give access to the reports to their customers.
  • Our customers create users/logins via our product (which they share with their customers), and assign key-value pairs to said users to act as security.  Example: {"groupId": 123, "region": ["US-West", "US-Southwest"]}
  • When the end-user logs into our application, they should see the embedded report filtered appropriately: group_id = 123 AND region IN ('US-West', 'US-Southwest')
  • Since the data is dynamically generated, and since these key-value-pairs aren't known ahead of time (neither the number of them, the keys, the values, or the data types), we cannot hardcode or hand-enter in roles anywhere (unless there is a static role or two that can be re-used), nor can we re-publish frequently as roles are modified.
  • We are taking the "App Owns Data" approach to embedding PowerBI in our application.

All approaches to RLS I have seen thus far require manual entry of roles/members either into a PowerBI Desktop, PowerBI web, and/or a static table in PowerBI Desktop.  Are there any approaches that will work?  The only option I have seen so far is attempting to embed the key-value-pairs into the embed token's username field (which is limited to 256 ASCII chars only) and somehow parse it using a DAX expression.

Labels:
Message 1 of 3
1,254 Views
2 REPLIES 2
TomMartens
Super User
Super User

‎09-23-2020 09:39 AM

Hey @Anonymous ,

 

I consider this requirement not possible, due to this simple fact: RLS is based on roles with rules assigned.

 

Theses rules are an essential part of the data model and can not be changed during querying.

 

I thinks the only viable approach is to create something called "JSON script filters", here you will find some more description: https://docs.microsoft.com/en-us/power-bi/developer/embedded/embedded-row-level-security#using-rls-vs-javascript-filters

 

Of course this is something that I would call: security by obscurity.

 

As this architecture is a more complex architecture, meaning there are three parties involved I would consider this approach:

  • Your customers has to provide you with information about email and the key/value pair
  • something (maybe an Azure function is executed triggerd by an Azure Logic App, the function executes a TMSL script and

voila a new role is created.

 

I have to admit, that I'm currently not sure if the data model has to be re-processed if a new role is added, my assumption: No!

 

Regards,
Tom



Did I answer your question? Mark my post as a solution, this will help others!

Proud to be a Super User!
I accept Kudos 😉
Hamburg, Germany
Message 3 of 3
1,177 Views
Greg_Deckler
Community Champion
Community Champion

‎09-22-2020 05:14 PM

@dm-p @TomMartens 

 



Follow on LinkedIn
@ me in replies or I'll lose your thread!!!
Instead of a Kudo, please vote for this idea
Become an expert!: Enterprise DNA
External Tools: MSHGQM
YouTube Channel!: Microsoft Hates Greg
Latest book!: DAX For Humans

DAX is easy, CALCULATE makes DAX hard...
Message 2 of 3
1,207 Views
0

Helpful resources

Announcements
August Power BI Update Carousel

Power BI Monthly Update - August 2025

Check out the August 2025 Power BI update to learn about new features.

August 2025 community update carousel

Fabric Community Update - August 2025

Find out what's new and trending in the Fabric community.

View All