Skip to main content
cancel
Showing results for 
Search instead for 
Did you mean: 

Find everything you need to get certified on Fabric—skills challenges, live sessions, exam prep, role guidance, and more. Get started

Reply
chandu500
Frequent Visitor

Governance for RLS logic code

Here is my technical question on Power BI:

Situation:

  • We have self-serve capability enabled for business author to create their own reports in a Report workspace
  • We have self-serve capability enabled for business author to shape the data and create data model – using dataflow and datasets in another Data workspace
  • As you can see we will have separate workspace for report and data
  • Business users have contribute access permission on workspaces

 

Question: RLS security logic in data workspace should be editable only by the IT developer of the workspace not the business author. How can that be accomplished? Any ideas?

 

1 ACCEPTED SOLUTION

Hi @chandu500 ,

 

It is by design.

Set the user as viewer in the workspace. If you want to assign some users with editing rights to the report, you can consider publishing the report as an app and assigning these users with build permissions. Or create a shared dataset based on this dataset and assign build permission.

https://docs.microsoft.com/en-us/power-bi/collaborate-share/service-create-distribute-apps#allow-use... 

https://docs.microsoft.com/en-us/power-bi/connect-data/service-datasets-share 

https://docs.microsoft.com/en-us/power-bi/connect-data/service-datasets-build-permissions 

 

Best Regards,
Liang
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

View solution in original post

7 REPLIES 7
V-lianl-msft
Community Support
Community Support

Hi @chandu500 ,

 

If you have configured the workspace so that members have edit permissions, the RLS roles will not be applied to them. Users will be able to see all of the data.

 

Best Regards,
Liang
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

 Hi @V-lianl-msft ,

 

You are right, aware of that. Which is the crux of my question. 

- we do not know how many business users will collaborate to mainatin the dataset/dataflow.

- so it is not prudent to allow these business users to see all the data.

 

- How can we ensure RLS works for the data workspace contributors too?

is there any other way to do it?

 

Thanks,

chandra 

lbendlin
Super User
Super User

Don't allow business users to mess with the dataset. Have a central dataset with RLS implemented, and force users to access that dataset in live mode.

 

Of course no user in their right mind would want to do that, at least not until composite mode will be available.

Thank you for reply.

In that case, we will take away the self-service capability for business users to shape and model data. In quite a few cases, it is business users or power users who are the most knowledgeable about the business. They can do a better job creating this data logic than translating it to IT and then IT developer doing it.

- this will be a step back for us from a philosophy of democratising BI and analytics

 

BTW, you are right no user in right frame of mind may fiddle with RLS logic. However, that will not satisfy Data security and governance folks. Because this is not a systemic check, but a more subjective one outside the system.  

Hi @chandu500 ,

 

It is by design.

Set the user as viewer in the workspace. If you want to assign some users with editing rights to the report, you can consider publishing the report as an app and assigning these users with build permissions. Or create a shared dataset based on this dataset and assign build permission.

https://docs.microsoft.com/en-us/power-bi/collaborate-share/service-create-distribute-apps#allow-use... 

https://docs.microsoft.com/en-us/power-bi/connect-data/service-datasets-share 

https://docs.microsoft.com/en-us/power-bi/connect-data/service-datasets-build-permissions 

 

Best Regards,
Liang
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

You missed my point. It is ok to present a gold standard data model to business users, in the form of a shared dataset that they can use but cannot modify. It is not ok to prevent the business users from blending in their own data into that dataset. The composite model feature will be critical to achieve both.

Agree with you. Got it!

Composite model is the need

Helpful resources

Announcements
Europe Fabric Conference

Europe’s largest Microsoft Fabric Community Conference

Join the community in Stockholm for expert Microsoft Fabric learning including a very exciting keynote from Arun Ulag, Corporate Vice President, Azure Data.

Power BI Carousel June 2024

Power BI Monthly Update - June 2024

Check out the June 2024 Power BI update to learn about new features.

RTI Forums Carousel3

New forum boards available in Real-Time Intelligence.

Ask questions in Eventhouse and KQL, Eventstream, and Reflex.

Top Solution Authors