RLS and API

Anonymous · ‎12-17-2019

How can i get via api the role level security list associated to a dataset?

We have dozens of datasets and we would like to build a report that lists the RLS of the datasets; doing it manually is impossible.

Anonymous · ‎01-02-2020

HI @Anonymous ,

I'd like to suggest you write a complex RLS role with multiple conditions and username to achieve dynamic RLS(you can add a custom column to store 'query table source' for advanced conditions RLS filter).

After these steps, you only need to configure a security group for your users and assign the RLS role to this group to enable RLS filter. (I think these should help to reduce the workload of assign roles to users from dozens of RLS roles)

RLS with UserName()

Row-level security (RLS) with Power BI#add-members

You can add a member to the role by typing in the email address, or name, of the user, security group or distribution list you want to add. You cannot add Groups created within Power BI. You can add members external to your organization.

Regards,

Xiaoxin Sheng

Anonymous · ‎01-09-2020

Ciao @Anonymous ,

thanks for your answer, but the problem is not how to assign RLS but monitoring, perhaps with a dashboard, how and whom RLS are assigned.
For Example, my Internal Audit could ask: "which security rules are applied to the XYX group?"

mattLA · ‎09-22-2022

Hi did you get an answer to this - be interested to see where you got to.
You can do SSAS models (the XMLA I guess) using dynamic management views and I've done this for a SSAS model - I'm looking for how I apply this to a non-SSAS model (i.e. PBIX file loaded up to create the dataset/RLS).

Link here to get launched on DMVs:

https://learn.microsoft.com/en-us/analysis-services/instances/use-dynamic-management-views-dmvs-to-m...

Anonymous · ‎01-13-2020

Hi @Anonymous ,

After you add a group field into your user table, it will group users based on group fields. (notice: RLS filter should be applied to group field instead of username field)
So if users(A,B,C,D) are in group 'XYZ', after RLS filter enabled, they can view all XYZ group members' records. (RLS will use current username to find out the corresponding group and apply the filter to other tables based on group member usernames and relationship mapping)

If you still require more complex security manage, you can also add more tables and links to user table to enable higher-level RLS filter. (it will increase the complexity of RLS filter expressions)
For example:
Each user has his 'use role'(employee, leader, group manager, admin) and group, it will apply RLS filter based on the group and its role level. (employ: current user, leader: user and his employee, group manager: all users of current group, admin: all group users)
Regards,

Xiaoxin Sheng