cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Fabric is Generally Available. Browse Fabric Presentations. Work towards your Fabric certification with the Cloud Skills Challenge.

Reply
gemgorey
Advocate I
Advocate I

App audiences and OLS permissions

‎01-18-2023 08:34 AM

Hi all! Hoping someone on here can offer some advice.

 

I have a "golden dataset" which holds all my company information.  On that master dataset I have OLS on some tables and columns that I don't want to be viewed by everyone.  I have then several chained datasets that use direct Query from the master, and they only import the tables that they need. (As an aside, I wasn't aware that this feature was a thing - I had read said that in order to choose the tables for the report, it needed to be a composite model, but it did let me select the relevant tables.) I can't implement RLS on these chained datasets, but everything I have read leads me to believe that end users should still be limited by the RLS on the original dataset.

 

I have distributed the content to an overall company app, with multiple audiences.  A user of the group who shuldn't be able to see anything, can still see the schema of all of the other datasets which are stored in the app if they go to the datasets view.  I have stored all reports in the same workspace as I wanted it all in one app rather than having several apps.  They can't access the data and nothing is clickable, but I don't really want them to see the table names etc.

 

Is there a way around this? 

 

Thanks!

Labels:
Message 1 of 5
316 Views
0
4 REPLIES 4
Tutu_in_YYC
Resident Rockstar
Resident Rockstar

‎01-18-2023 12:27 PM

Is the user that can see all the data ( but not supposed to), is a part of the workspace with a role that is not Viewer?

And you mentioned OLS and RLS? Are both implemented in the dataset? 

Message 2 of 5
278 Views
0
gemgorey
Advocate I
Advocate I
In response to Tutu_in_YYC

‎01-18-2023 02:41 PM

Hi and thanks for your reply,

 

I dont have anyone in the workspaces other than myself.  I have been trying to implement things as much as I can with the reccomendations from microsoft with data being distributed through the new app audiences.  So my people are not members of any of the workspaces, they have build access to the golden dataset, (which I believe they need) and read access to the chained dataset granted through the app only.  I have OLS rules set in tabular editor which are assigned to the roles set up in the golden dataset.  These people are assigned in the security options in the golden dataset. I haven't got any RLS set up at the minute but I will need that soon, (I believe there is a workaround to get both to work together) I said RLS by mistake as service only seems to refer to RLS, but my roles are OLS.

 

So that's my setup at the minute.  The person can't get at any data but for business reasons I'd rather them not be able to see the schema and names of measures etc.

 

I will add that I am new to PBI and although I am trying to absorb as much info as possible from forms and tutorials - it is likely that I have missed something obvious!

 

Thanks 🙂

 

 

Message 3 of 5
268 Views
0
Tutu_in_YYC
Resident Rockstar
Resident Rockstar
In response to gemgorey

‎01-19-2023 08:00 AM

Based on my experiment a few months ago (also validated by other users in this forum),  you cant implement OLS and RLS both in the same dataset. 

You may already seen this, but this is a good overview blog on both OLS and RLS. I have not tried OLS on chained dataset, but I will give it a try when i have the chance. 
 

Message 4 of 5
257 Views
gemgorey
Advocate I
Advocate I
In response to Tutu_in_YYC

‎01-19-2023 08:18 AM

Thanks for that and the info!  Yes I have read that they can't be used togeher but I read about (but not tried) a workaround where you create groups with every permutation of the permissions - e.g. group 1 OLS with group 1 RLS, group 1 OLS with group 2 RLS etc... Sounds a bit long winded but hopefully implementable.

 

I have done a bit more testing today and found the following...

 

The person that could see the schemas of all the datasets was someone I inadvertantly added to the wrong audience in the app whilst testing.  When I have looked at the permissions in the dataset it shows that she now has read access to the datasets that she had access to in the higher group, even though I have now placed her in a different audience straight away.  So this means if we downgrade or change an audience we will need to ensure that the dataset permissions are removed for reports they shouldn't have, following a change of audience.

 

No-one else (who I added to the correct audiences) can see any dataset that they aren't meant to, even though these are stored in the same workspace - which is good - but they can still see columns that should be restricted to them with their OLS permissions.  They can't click on anything though.

 

I would just prefer if they couldn't see that column title thats all!  Does anyone have any ideas?

 

 

Message 5 of 5
252 Views

Helpful resources

Announcements
PBI November 2023 Update Carousel

Power BI Monthly Update - November 2023

Check out the November 2023 Power BI update to learn about new features.

Community News

Fabric Community News unified experience

Read the latest Fabric Community announcements, including updates on Power BI, Synapse, Data Factory and Data Activator.

Dashboard in a day with date

Exclusive opportunity for Women!

Join us for a free, hands-on Microsoft workshop led by women trainers for women where you will learn how to build a Dashboard in a Day!

Power BI Fabric Summit Carousel

The largest Power BI and Fabric virtual conference

130+ sessions, 130+ speakers, Product managers, MVPs, and experts. All about Power BI and Fabric. Attend online or watch the recordings.

View All
Top Solution Authors
View All