Skip to main content
cancel
Showing results for 
Search instead for 
Did you mean: 

Find everything you need to get certified on Fabric—skills challenges, live sessions, exam prep, role guidance, and more. Get started

Reply
SamTrexler
Helper IV
Helper IV

Groups for access versus groups for roles?

It appears that the groups used to control access to reports are not consistent with the groups used for roles in RLS. Is this correct? If so, there will be a big headache managing users and their access privileges!

 

As I understand it, after quite a bit of testing and research:

  • Power BI groups:
    • Allow you to share reports and dashboards with a user community, controlling access - works great
    • Cannot use an existing Office 365 security group, or add an Office 365 security group as a "member"
  • Roles defined for Row-Level Security:
    • Can control what data a user sees - very helpful, works fine, I just need to learn DAX better
    • Cannot add a Power BI group as a "member"

So it appears I have to set up two different groups to use these two features, and make sure I keep my users and groups synchronized manually? What a headache!

 

Does anyone have a solution for this?

 

Thanks.

1 ACCEPTED SOLUTION

Hi @SamTrexler,

 

1. "If I understand you correctly, the Power BI group will control access to the reports and dashboards, but has nothing to do with RLS. RLS has to be defined and managed separately, and separate groups set up for that if needed. Is that right?"

 

Yes, you are correct. Power BI group and RLS are different features, they are configured separately.

 

2. could you clarify for me your statement that "if you create a Power BI group, and set a member as group admin, the user can share the dashboard with Office 365 distribution group" (emphasis mine)? According to my security admin, "The only groups available in AD are office 365 groups, distribution, dynamic distribution, security and universal." Which type(s) of groups are you referring to with these two phrases? My testing isn't working as expected, so I need to know which types of groups work for this.

 

AS you said "If make make him an Admin of the group, he can edit the reports shared with the HelpDesk group; and", I assume the member is a admin of the Power BI group, and explain the RLS is not applied for this member in this scenario.

 

What I mentioned  "user can share the dashboard with Office 365 distribution group" is that . And I have tested in lab about add Office 365 security group as a member of RLS role and it's working.

 

Best Regards,
Qiuyun Yu

 

 

Community Support Team _ Qiuyun Yu
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

View solution in original post

8 REPLIES 8
SamTrexler
Helper IV
Helper IV

@v-qiuyu-msft, thanks for your reply. I understand what you have described, and have tested it. But it means that I have to create two separate groups to control the users' access - one to control whether they can see and/or edit rports and dashboards, and another to control what they can see. That means I've got to set up manual procedures to make sure I keep these two groups in sync, etc. - or purchase (or write) some software to do the synchronization for me.

 

What I am looking for is a way to do this with a single group. For example, if I add james.smith to the the HelpDesk group then the following should happen:

  • James can run any report or dashboard shared with the HelpDesk group;
  • If make make him an Admin of the group, he can edit the reports shared with the HelpDesk group; and,
  • Row-Level Security will restrict which rows he can see, e.g., only those for stations that he is responsible for (unless he is an Admin, in which case he sees all rows).

As it stands now, unless I am missing something, I have to set up one kind of group (an Office365 group) to do the first two, and another kind of group (a security group) to do the last item. And that will be a big administrative headache.

 

Am I missing something? Is there a way to accomplish this? It seems ludicrous to force different groups for the different aspects of controlling access. I have submitted an "idea" to make these two areas consistent - that is, to allow either type of group to be used for both types of access. That way, I can still use two groups if I want to but I can use a single group if that makes sense, and ease the administrative work required to maintain the group and its reports and dashboards. Being able to use a single group will also limit the number of groups we need to have, which will further increase sharing of the reports and dashboards - and information.

 

But I'm hoping I have simply missed something, and someone can show me how to get this done. Is there any way to use a single group?

 

Thanks,

 

Sam

 

Hi @SamTrexler,

 

  • James can run any report or dashboard shared with the HelpDesk group;

       Do you mean the HelpDesk group is a Office 365 group?

 

  • If make make him an Admin of the group, he can edit the reports shared with the HelpDesk group; and,

        Do you mean the group of "Admin of the group" is Power BI group or Office 365 group?

 

  • Row-Level Security will restrict which rows he can see, e.g., only those for stations that he is responsible for (unless he is an Admin, in which case he sees all rows).

         In a Power BI group, the member who can edit the report or is owner of the dataset, RLS is not applied for this user.

 

In your scenario, if you create a Power BI group, and set a member as group admin, the user can share the dashboard with Office 365 distribution group, and he can also edit dashboards, reports and datasets with the group. But at the same time, RLS settings set for datasets within this Power BI group will not applied for this user.

 

Best Regards,
Qiuyun Yu

 

 

Community Support Team _ Qiuyun Yu
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

@v-qiuyu-msft, thanks for the reply and confirmation. If I understand you correctly, the Power BI group will control access to the reports and dashboards, but has nothing to do with RLS. RLS has to be defined and managed separately, and separate groups set up for that if needed. Is that right?

 

Also, could you clarify for me your statement that "if you create a Power BI group, and set a member as group admin, the user can share the dashboard with Office 365 distribution group" (emphasis mine)? According to my security admin, "The only groups available in AD are office 365 groups, distribution, dynamic distribution, security and universal." Which type(s) of groups are you referring to with these two phrases? My testing isn't working as expected, so I need to know which types of groups work for this.

 

Thanks for your help.

 

Sam

Hi @SamTrexler,

 

1. "If I understand you correctly, the Power BI group will control access to the reports and dashboards, but has nothing to do with RLS. RLS has to be defined and managed separately, and separate groups set up for that if needed. Is that right?"

 

Yes, you are correct. Power BI group and RLS are different features, they are configured separately.

 

2. could you clarify for me your statement that "if you create a Power BI group, and set a member as group admin, the user can share the dashboard with Office 365 distribution group" (emphasis mine)? According to my security admin, "The only groups available in AD are office 365 groups, distribution, dynamic distribution, security and universal." Which type(s) of groups are you referring to with these two phrases? My testing isn't working as expected, so I need to know which types of groups work for this.

 

AS you said "If make make him an Admin of the group, he can edit the reports shared with the HelpDesk group; and", I assume the member is a admin of the Power BI group, and explain the RLS is not applied for this member in this scenario.

 

What I mentioned  "user can share the dashboard with Office 365 distribution group" is that . And I have tested in lab about add Office 365 security group as a member of RLS role and it's working.

 

Best Regards,
Qiuyun Yu

 

 

Community Support Team _ Qiuyun Yu
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

So have you gotten this to work with Dynamic Distribution Groups? 

Hi,

 

I have created one Group on Power BI which name is powerbi_testrls which have read access only as mentioned.

I've created a rôle which name is User US which implement row level security.

When I click on my dataset > security, I see all my organisation emails but I don't see my Power BI Group.

Hi, 

 

I have 5 roles ,Role-1 , Role-2 , Role-3,Role-4,Role-5. 

 

On power Bi , I had added emails on particular Roles group , I have multiple user for Support , and these users have all groups access , How Can I manage all roles in Power Bi , or How Can I create Support Role group  in Power Bi desktop,

I have One  table RoleGroup 

Role_CodeRole_Name
1Role-1             
2Role-2             
3Role-3             
4Role-4             
5Role-5             

 

and In Power BI desktop I had assign Each role = [Role_Code] = "1" or other values. 

 

How Can I manage for Support Role =  [Role_Code] in ("1","2","3","4","5")

 

Please guide. 

 

tthanks 

vilas jadhav 

 

v-qiuyu-msft
Community Support
Community Support

Hi @SamTrexler,

 

 

In Power BI Service, RLS is used for restricting data access for given users, while the group workspace is used for restricting group members to view or edit group content.

 

But we can use those two features at the same time. We can use RLS feature for a dataset which is stored in a Power BI group workspace. But the roles will be applied to read-only members. So in a group, we need to specify the member which added under roles only can view content like below:

 

rls-group-settings.png

 

If you have any question, please feel free to ask.

 

Best Regards,
Qiuyun Yu

 

 

Community Support Team _ Qiuyun Yu
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

Helpful resources

Announcements
July 2024 Power BI Update

Power BI Monthly Update - July 2024

Check out the July 2024 Power BI update to learn about new features.

July Newsletter

Fabric Community Update - July 2024

Find out what's new and trending in the Fabric Community.