Get certified for free when you join Fabric Data Days 2026 and dive into Fabric, Power BI, SQL, AI, and other essential data skills.
Join nowJuly 7 - July 17 | Round 2 of the Power BI Dataviz World Championships. Don't miss your chance! Learn more
Hello,
We have created an app which provides access to a set of reports for our senior executives. Our MD would now like us to provide access to that app to a set of managers in our organisation. However, they would like to hide one report which contains particularly sensitive information. So, in otherwords, when accessing the app, the senior executives will see the data in all report but the managers will not be able to view the data in one specific report. The MD wants all reports to be packaged in one app.
It was suggested that we create a role in Power BI desktop and filter the report to hide the data. I've done this and it works when published to the Power BI service. However, it introduces a potential for risk. I've created a role which filters out all data (1=0 in the DAX). But it means I have to add users to that role to hide the data. So, if a user is added, they will, by default see the data unless someone remembers to add them to this role. This needs to work the other way round so that by default no-one can see the data unless added to a role which does not filter it. Is there a way I can easily achieve this? Or is there a better solution?
Thanks
Nick
Solved! Go to Solution.
Hi Nick,
According to my test and the documentation, the RLS role will be applied to read-only members (including the users who are the audience of publishing the App). If a user have access to an App workspace and have read-only view, the RLS role will work even the role isn't assigned yet. So the user won't see anything until a proper role is assigned to him. If you forget to assign a role to a user, he/she can't see anything if he/she is a read-only member.
Now you have several things to consider.
1. If the RLS is good enough to hide the report.
2. If the users can be read-only members.
Best Regards!
Dale
Hi Nick,
According to my test and the documentation, the RLS role will be applied to read-only members (including the users who are the audience of publishing the App). If a user have access to an App workspace and have read-only view, the RLS role will work even the role isn't assigned yet. So the user won't see anything until a proper role is assigned to him. If you forget to assign a role to a user, he/she can't see anything if he/she is a read-only member.
Now you have several things to consider.
1. If the RLS is good enough to hide the report.
2. If the users can be read-only members.
Best Regards!
Dale
Thank you to both of you. I have that working now. I didn't find it clear that enabling RLS would invoke a "no read access" default as opposed to the "full access" default without RLS.
@Astro Rather than add individual users to the report role, have the role use an AD security group (if possible) or a group container that has the users. In that regard, they would have to be part of the group to even see the report in the first place and your RLS is automatically applied.
@Anonymous, Thank you very much for your response. I'm trying to digest how to apply that and I'm not quite clear on the approach. There is an O365 group which I assume must get created when the app is published and users have been granted access to it via the Power BI service. But that group membership would mean they see everything in the app. I'm not quite clear how I assign view access to a group to the entire app with the exception of one report.
@Astro From the way I read your post it first sounded like you wanted permission based report elements. Example: This groups sees 4 reports, this group sees 3. - > This is not currently possible. The rest of your description made it sound like you figured that part out and were just going to apply RLS so that the other group just wouldn't see any data in report 4. My comments relates to the second.
With RLS, you can use a security group within the role. When you publish your App, you can publish to a security group. If the security group is the same, no one would have access to the app without also being a member of your security group and thus those users would always be filtered.
| User | Count |
|---|---|
| 16 | |
| 15 | |
| 12 | |
| 11 | |
| 7 |
| User | Count |
|---|---|
| 44 | |
| 40 | |
| 33 | |
| 29 | |
| 21 |