Skip to main content
cancel
Showing results for 
Search instead for 
Did you mean: 

July 7 - July 17 | Round 2 of the Power BI Dataviz World Championships. Don't miss your chance! Learn more

Reply
Astro
Helper I
Helper I

App Security and Roles

Hello,

 

We have created an app which provides access to a set of reports for our senior executives. Our MD would now like us to provide access to that app to a set of managers in our organisation. However, they would like to hide one report which contains particularly sensitive information. So, in otherwords, when accessing the app, the senior executives will see the data in all report but the managers will not be able to view the data in one specific report. The MD wants all reports to be packaged in one app.

 

It was suggested that we create a role in Power BI desktop and filter the report to hide the data. I've done this and it works when published to the Power BI service. However, it introduces a potential for risk. I've created a role which filters out all data (1=0 in the DAX). But it means I have to add users to that role to hide the data. So, if a user is added, they will, by default see the data unless someone remembers to add them to this role. This needs to work the other way round so that by default no-one can see the data unless added to a role which does not filter it. Is there a way I can easily achieve this? Or is there a better solution?

 

Thanks

Nick

1 ACCEPTED SOLUTION
v-jiascu-msft
Microsoft Employee
Microsoft Employee

@Astro,

 

Hi Nick,

 

According to my test and the documentation, the RLS role will be applied to read-only members (including the users who are the audience of publishing the App). If a user have access to an App workspace and have read-only view, the RLS role will work even the role isn't assigned yet. So the user won't see anything until a proper role is assigned to him. If you forget to assign a role to a user, he/she can't see anything if he/she is a read-only member.

Now you have several things to consider.

1. If the RLS is good enough to hide the report.

2. If the users can be read-only members.

 

Best Regards!

Dale

Community Support Team _ Dale
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

View solution in original post

5 REPLIES 5
v-jiascu-msft
Microsoft Employee
Microsoft Employee

@Astro,

 

Hi Nick,

 

According to my test and the documentation, the RLS role will be applied to read-only members (including the users who are the audience of publishing the App). If a user have access to an App workspace and have read-only view, the RLS role will work even the role isn't assigned yet. So the user won't see anything until a proper role is assigned to him. If you forget to assign a role to a user, he/she can't see anything if he/she is a read-only member.

Now you have several things to consider.

1. If the RLS is good enough to hide the report.

2. If the users can be read-only members.

 

Best Regards!

Dale

Community Support Team _ Dale
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

Thank you to both of you. I have that working now. I didn't find it clear that enabling RLS would invoke a "no read access" default as opposed to the "full access" default without RLS.

Anonymous
Not applicable

@Astro Rather than add individual users to the report role, have the role use an AD security group (if possible) or a group container that has the users. In that regard, they would have to be part of the group to even see the report in the first place and your RLS is automatically applied.

@Anonymous, Thank you very much for your response. I'm trying to digest how to apply that and I'm not quite clear on the approach. There is an O365 group which I assume must get created when the app is published and users have been granted access to it via the Power BI service. But that group membership would mean they see everything in the app. I'm not quite clear how I assign view access to a group to the entire app with the exception of one report.

Anonymous
Not applicable

@Astro From the way I read your post it first sounded like you wanted permission based report elements. Example: This groups sees 4 reports, this group sees 3. - > This is not currently possible. The rest of your description made it sound like you figured that part out and were just going to apply RLS so that the other group just wouldn't see any data in report 4. My comments relates to the second.

With RLS, you can use a security group within the role. When you publish your App, you can publish to a security group. If the security group is the same, no one would have access to the app without also being a member of your security group and thus those users would always be filtered.

Helpful resources

Announcements
FabCon and SQLCon Barcelona 2026

FabCon & SQLCon – Barcelona 2026

Join us in Barcelona for FabCon and SQLCon, the Fabric, Power BI, SQL, and AI community event. Save €200 with code FABCMTY200.

60 days of Data Days Carousel

Data Days 2026

Join Fabric Data Days 2026: 60 days of free live/on-demand sessions, challenges, study groups, and certification opportunities.

Power BI DataViz World Championships carousel

Power BI DataViz World Championships - June 2026

A new Power BI DataViz World Championship is coming this June! Don't miss out on submitting your entry.