Skip to main content
cancel
Showing results for 
Search instead for 
Did you mean: 

Find everything you need to get certified on Fabric—skills challenges, live sessions, exam prep, role guidance, and more. Get started

Reply
gemgorey
Advocate I
Advocate I

App audiences and OLS permissions

Hi all! Hoping someone on here can offer some advice.

 

I have a "golden dataset" which holds all my company information.  On that master dataset I have OLS on some tables and columns that I don't want to be viewed by everyone.  I have then several chained datasets that use direct Query from the master, and they only import the tables that they need. (As an aside, I wasn't aware that this feature was a thing - I had read said that in order to choose the tables for the report, it needed to be a composite model, but it did let me select the relevant tables.) I can't implement RLS on these chained datasets, but everything I have read leads me to believe that end users should still be limited by the RLS on the original dataset.

 

I have distributed the content to an overall company app, with multiple audiences.  A user of the group who shuldn't be able to see anything, can still see the schema of all of the other datasets which are stored in the app if they go to the datasets view.  I have stored all reports in the same workspace as I wanted it all in one app rather than having several apps.  They can't access the data and nothing is clickable, but I don't really want them to see the table names etc.

 

Is there a way around this? 

 

Thanks!

4 REPLIES 4
Tutu_in_YYC
Resident Rockstar
Resident Rockstar

Is the user that can see all the data ( but not supposed to), is a part of the workspace with a role that is not Viewer?

And you mentioned OLS and RLS? Are both implemented in the dataset? 

Hi and thanks for your reply,

 

I dont have anyone in the workspaces other than myself.  I have been trying to implement things as much as I can with the reccomendations from microsoft with data being distributed through the new app audiences.  So my people are not members of any of the workspaces, they have build access to the golden dataset, (which I believe they need) and read access to the chained dataset granted through the app only.  I have OLS rules set in tabular editor which are assigned to the roles set up in the golden dataset.  These people are assigned in the security options in the golden dataset. I haven't got any RLS set up at the minute but I will need that soon, (I believe there is a workaround to get both to work together) I said RLS by mistake as service only seems to refer to RLS, but my roles are OLS.

 

So that's my setup at the minute.  The person can't get at any data but for business reasons I'd rather them not be able to see the schema and names of measures etc.

 

I will add that I am new to PBI and although I am trying to absorb as much info as possible from forms and tutorials - it is likely that I have missed something obvious!

 

Thanks 🙂

 

 

Based on my experiment a few months ago (also validated by other users in this forum),  you cant implement OLS and RLS both in the same dataset. 

You may already seen this, but this is a good overview blog on both OLS and RLS. I have not tried OLS on chained dataset, but I will give it a try when i have the chance. 
 

Thanks for that and the info!  Yes I have read that they can't be used togeher but I read about (but not tried) a workaround where you create groups with every permutation of the permissions - e.g. group 1 OLS with group 1 RLS, group 1 OLS with group 2 RLS etc... Sounds a bit long winded but hopefully implementable.

 

I have done a bit more testing today and found the following...

 

The person that could see the schemas of all the datasets was someone I inadvertantly added to the wrong audience in the app whilst testing.  When I have looked at the permissions in the dataset it shows that she now has read access to the datasets that she had access to in the higher group, even though I have now placed her in a different audience straight away.  So this means if we downgrade or change an audience we will need to ensure that the dataset permissions are removed for reports they shouldn't have, following a change of audience.

 

No-one else (who I added to the correct audiences) can see any dataset that they aren't meant to, even though these are stored in the same workspace - which is good - but they can still see columns that should be restricted to them with their OLS permissions.  They can't click on anything though.

 

I would just prefer if they couldn't see that column title thats all!  Does anyone have any ideas?

 

 

Helpful resources

Announcements
July 2024 Power BI Update

Power BI Monthly Update - July 2024

Check out the July 2024 Power BI update to learn about new features.

PBI_Carousel_NL_June

Fabric Community Update - June 2024

Get the latest Fabric updates from Build 2024, key Skills Challenge voucher deadlines, top blogs, forum posts, and product ideas.