Skip to main content
cancel
Showing results for 
Search instead for 
Did you mean: 

The Power BI DataViz World Championships are on! With four chances to enter, you could win a spot in the LIVE Grand Finale in Las Vegas. Show off your skills.

Reply
chandu500
Frequent Visitor

Governance for RLS logic code

Here is my technical question on Power BI:

Situation:

  • We have self-serve capability enabled for business author to create their own reports in a Report workspace
  • We have self-serve capability enabled for business author to shape the data and create data model – using dataflow and datasets in another Data workspace
  • As you can see we will have separate workspace for report and data
  • Business users have contribute access permission on workspaces

 

Question: RLS security logic in data workspace should be editable only by the IT developer of the workspace not the business author. How can that be accomplished? Any ideas?

 

1 ACCEPTED SOLUTION

Hi @chandu500 ,

 

It is by design.

Set the user as viewer in the workspace. If you want to assign some users with editing rights to the report, you can consider publishing the report as an app and assigning these users with build permissions. Or create a shared dataset based on this dataset and assign build permission.

https://docs.microsoft.com/en-us/power-bi/collaborate-share/service-create-distribute-apps#allow-use... 

https://docs.microsoft.com/en-us/power-bi/connect-data/service-datasets-share 

https://docs.microsoft.com/en-us/power-bi/connect-data/service-datasets-build-permissions 

 

Best Regards,
Liang
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

View solution in original post

7 REPLIES 7
V-lianl-msft
Community Support
Community Support

Hi @chandu500 ,

 

If you have configured the workspace so that members have edit permissions, the RLS roles will not be applied to them. Users will be able to see all of the data.

 

Best Regards,
Liang
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

 Hi @V-lianl-msft ,

 

You are right, aware of that. Which is the crux of my question. 

- we do not know how many business users will collaborate to mainatin the dataset/dataflow.

- so it is not prudent to allow these business users to see all the data.

 

- How can we ensure RLS works for the data workspace contributors too?

is there any other way to do it?

 

Thanks,

chandra 

lbendlin
Super User
Super User

Don't allow business users to mess with the dataset. Have a central dataset with RLS implemented, and force users to access that dataset in live mode.

 

Of course no user in their right mind would want to do that, at least not until composite mode will be available.

Thank you for reply.

In that case, we will take away the self-service capability for business users to shape and model data. In quite a few cases, it is business users or power users who are the most knowledgeable about the business. They can do a better job creating this data logic than translating it to IT and then IT developer doing it.

- this will be a step back for us from a philosophy of democratising BI and analytics

 

BTW, you are right no user in right frame of mind may fiddle with RLS logic. However, that will not satisfy Data security and governance folks. Because this is not a systemic check, but a more subjective one outside the system.  

Hi @chandu500 ,

 

It is by design.

Set the user as viewer in the workspace. If you want to assign some users with editing rights to the report, you can consider publishing the report as an app and assigning these users with build permissions. Or create a shared dataset based on this dataset and assign build permission.

https://docs.microsoft.com/en-us/power-bi/collaborate-share/service-create-distribute-apps#allow-use... 

https://docs.microsoft.com/en-us/power-bi/connect-data/service-datasets-share 

https://docs.microsoft.com/en-us/power-bi/connect-data/service-datasets-build-permissions 

 

Best Regards,
Liang
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

You missed my point. It is ok to present a gold standard data model to business users, in the form of a shared dataset that they can use but cannot modify. It is not ok to prevent the business users from blending in their own data into that dataset. The composite model feature will be critical to achieve both.

Agree with you. Got it!

Composite model is the need

Helpful resources

Announcements
Las Vegas 2025

Join us at the Microsoft Fabric Community Conference

March 31 - April 2, 2025, in Las Vegas, Nevada. Use code MSCUST for a $150 discount!

Feb2025 Sticker Challenge

Join our Community Sticker Challenge 2025

If you love stickers, then you will definitely want to check out our Community Sticker Challenge!

Feb2025 NL Carousel

Fabric Community Update - February 2025

Find out what's new and trending in the Fabric community.