Check your eligibility for this 50% exam voucher offer and join us for free live learning sessions to get prepared for Exam DP-700.
Get StartedDon't miss out! 2025 Microsoft Fabric Community Conference, March 31 - April 2, Las Vegas, Nevada. Use code MSCUST for a $150 discount. Prices go up February 11th. Register now.
Is there a way to enforce global row-level filtering of a dataset in the way Row Level Security does, but without having to assign users to a RLS role?
Context:
I'm not part of our tenant's BI team that manage the PBI tenant settings, nor any other administrative unit. I just provide "self service" analytics (for some definition of self service) to my department and its subdivisions. Accordingly, my options are somewhat limited.
I have a dataset where I want given users, including report builders, to only see parts of the data. I already have a table mapping UPNs to the relevant filter groups in the dataset (based on groups internal to the source system, technically unrelated to any external structures). I have also implemented an RLS-Role using that table to filter (as well as another showing everything), tested it by assigning individual users and verifying the functionality.
The issue I'm dealing with is that this dataset is intended to be distributed to a larger audience. I can assign viewing permissions to the dataset and reports based on MS Teams groups which cover all the intended viewers, and manually assign building permissions to report builders.
However, I can't seem to assign those same Teams groups to the security roles - neither by name nor by copying their email from the dataset's permissions table. The former reports that I "can't use invalid or duplicate emails", the latter that "One or more email addresses could not be validated".
Individually adding the entire intended audience to the role would present a lot of manual effort and each new user the report is shared to would again require manual work.
Using UPN-based filter measures instead of roles only works on individual visuals, would expose the whole data to all report builders and charge them with the responsibility to add that filter to each and every visual, which is more effort for them to create reports and impossible for me to govern.
In summary: Is there a way to enable wider distribution of this data without either
a) individually adding each user to the security role,
b) sacrificing security,
c) building individual datasets for each target group?
Bonus: If it's possible to auto-assign people to roles, that would also help with OLS. Currently, that's not a requirement however.
Solved! Go to Solution.
Not sure about your company but we have PDLs that cover all employees. That's what you usually assign to that single role.
Read about the difference between static RLS (roles) and dynamic RLS (reference tables)
I do have dynamic RLS, see the second paragraph of context. It still requires having at least one security role containing all these users, which means adding all those users to that role.
The issue isn't adding users to individual roles, but adding users in bulk at all. Essentially, what I need isn't just Dynamic RLS, I need Dynamic Role Membership too, and MS-Teams groups don't seem to work. They work for Report or Dataset Permissions, but not for Security for whatever reason.
Not sure about your company but we have PDLs that cover all employees. That's what you usually assign to that single role.
So it's just that Teams Groups don't count as groups for the security role, even if they do count for the report permissions? I admit I don't understand the distinction, nor do I know that side of administration, but I'll talk to our domain administrators and see if they can help me out on that.
Thanks for the pointer!
User | Count |
---|---|
24 | |
21 | |
11 | |
11 | |
10 |
User | Count |
---|---|
50 | |
31 | |
20 | |
18 | |
15 |