Solved: Allow specific user to add/remove RLS in Service w...

moonlit337 · ‎03-05-2023

Hello. My current situation is as follow:

I developed a PBI report and published it to a workspace. This report is used by multiple countries, and they are only allowed to view their own countries content. Each countries will keep adding and removing users from their own region frequently, so I want to pass this responsibility to them.

My initial idea is to give one user per county a "Contributor" role so that they can add/remove people in the RLS list. But I just realize that they can also download the PBIX file, and after they download it then the RLS restrictions won't apply anymore and they can see other countries data too.

Is there a way for me to give permission to each countries to edit RLS names, but at the same time prevent them from downloading the PBIX file?

ichavarria · ‎03-06-2023

Unfortunately, there isn't a way to prevent contributors from downloading the PBIX file. Once they have access to the report, they have access to the file.

However, there are a few things you can do to mitigate this risk:

Educate the contributors: Make sure they understand the risks of downloading and sharing the PBIX file with unauthorized users.
Enable Audit Logs: Enable audit logs to track who is downloading the PBIX file and when.
Use encryption: Consider using file-level encryption to protect the PBIX file.
Use a dedicated workspace: Create a separate workspace for each country, and only give access to the people who need it.
Use a third-party tool: Consider using a third-party tool that provides additional security measures for your Power BI reports.

Note that RLS only works in the Power BI service, and not in Power BI Desktop. Therefore, if contributors need to make changes to the RLS rules, they will need access to the report in the Power BI service.

Best regards,

Isaac Chavarria

If this post helps, then please consider Accept it as the solution to help the other members find it more quickly

View solution in original post

ichavarria · ‎03-06-2023

Unfortunately, there isn't a way to prevent contributors from downloading the PBIX file. Once they have access to the report, they have access to the file.

However, there are a few things you can do to mitigate this risk:

Educate the contributors: Make sure they understand the risks of downloading and sharing the PBIX file with unauthorized users.
Enable Audit Logs: Enable audit logs to track who is downloading the PBIX file and when.
Use encryption: Consider using file-level encryption to protect the PBIX file.
Use a dedicated workspace: Create a separate workspace for each country, and only give access to the people who need it.
Use a third-party tool: Consider using a third-party tool that provides additional security measures for your Power BI reports.

Note that RLS only works in the Power BI service, and not in Power BI Desktop. Therefore, if contributors need to make changes to the RLS rules, they will need access to the report in the Power BI service.

Best regards,

Isaac Chavarria

If this post helps, then please consider Accept it as the solution to help the other members find it more quickly

moonlit337 · ‎03-07-2023

Hi @ichavarria , thank you for the replies and suggestions.

For item 3, when users download the file directly from workspace, can it still retain the file-level encryption?

For item 5, can you suggest what 3rd party tool that I can look into?

Allow specific user to add/remove RLS in Service without allowing them to download the PBIX file

Helpful resources

Power BI Monthly Update - April 2024