Solved: Re: Row Level Security when you have AD Groups

Nory · ‎09-16-2022

Hello Everyone,

I want to filter my report based on the user, each user have his own shop an can see its own data.

But there are thousands of users, and some users are able to see all Shop's data.

That's why there are AD GROUPS: let's say shop directors belongs to the A-group and the people from the siege of the company belongs to the B-group in the AD and can see everything.

Now I want to just add both groups in the security report in the portal.

But I want that each director still only see his own shop's data.

Do you know how I can do that ?

josef78 · ‎09-19-2022

Generaly, AD groups (and users) you can use for assign report permission or report role. But for RLS rules you need work with AD users (using userprincipalname), not with AD groups.

In your case you have two options:

1) access control based on your existing AD groups (recommended), in this case you need create two RLS roles:

-first like "SeeEverything", without and RLS rules. To this role assign your AD B-group.

-second like "ShopDirectors", with RLS rule (you will need table with USER and SHOP collumn for shop directors, with RLS rule). And to this role assign your AD A-group

2) Without AD group dependency, create RLS role with RLS rule with table with USER and SHOP collumns for all users (from A or B group). To this role assign both A-group and B-group and maybe also Everyone (no matter, because access will be driven by RLS rule).

View solution in original post

josef78 · ‎09-19-2022

Generaly, AD groups (and users) you can use for assign report permission or report role. But for RLS rules you need work with AD users (using userprincipalname), not with AD groups.

In your case you have two options:

1) access control based on your existing AD groups (recommended), in this case you need create two RLS roles:

-first like "SeeEverything", without and RLS rules. To this role assign your AD B-group.

-second like "ShopDirectors", with RLS rule (you will need table with USER and SHOP collumn for shop directors, with RLS rule). And to this role assign your AD A-group

2) Without AD group dependency, create RLS role with RLS rule with table with USER and SHOP collumns for all users (from A or B group). To this role assign both A-group and B-group and maybe also Everyone (no matter, because access will be driven by RLS rule).

v-luwang-msft · ‎09-18-2022

HI @Nory ,

In my opinion ,what you need is Dynamic Row Level Security with Hierarchy .For Dynamic Row Level Security with Hierarchy case, you may refer to these blog:

https://radacad.com/dynamic-row-level-security-with-organizational-hierarchy-power-bi

https://radacad.com/dynamic-row-level-security-in-power-bi-with-organizational-hierarchy-and-multipl...

https://www.blue-granite.com/blog/using-dynamic-row-level-security-with-organizational-hierarchies

Please understand that these links are provided “AS IS” with no warranties or guarantees of content changes, and confers no rights.

Best Regards

Lucien

Shahfaisal · ‎09-16-2022

Row level security is setup in the model and for this to work, you will need to have a table that has all the users and the shop they belong to. Once you setup row level security, you can use AD groups in the portal to give users access to the report. https://learn.microsoft.com/en-us/power-bi/enterprise/service-admin-rls

To summarize, there are two different concepts - row level security is setup in the model; once the model/report is published, you can use AD groups to setup security so you can control who can access the report.

Row Level Security when you have AD Groups

Helpful resources

Power BI September 2023 Update

Learn Live: Event Series