Find everything you need to get certified on Fabric—skills challenges, live sessions, exam prep, role guidance, and more. Get started
It appears that the groups used to control access to reports are not consistent with the groups used for roles in RLS. Is this correct? If so, there will be a big headache managing users and their access privileges!
As I understand it, after quite a bit of testing and research:
So it appears I have to set up two different groups to use these two features, and make sure I keep my users and groups synchronized manually? What a headache!
Does anyone have a solution for this?
Thanks.
Solved! Go to Solution.
Hi @SamTrexler,
1. "If I understand you correctly, the Power BI group will control access to the reports and dashboards, but has nothing to do with RLS. RLS has to be defined and managed separately, and separate groups set up for that if needed. Is that right?"
Yes, you are correct. Power BI group and RLS are different features, they are configured separately.
2. could you clarify for me your statement that "if you create a Power BI group, and set a member as group admin, the user can share the dashboard with Office 365 distribution group" (emphasis mine)? According to my security admin, "The only groups available in AD are office 365 groups, distribution, dynamic distribution, security and universal." Which type(s) of groups are you referring to with these two phrases? My testing isn't working as expected, so I need to know which types of groups work for this.
AS you said "If make make him an Admin of the group, he can edit the reports shared with the HelpDesk group; and", I assume the member is a admin of the Power BI group, and explain the RLS is not applied for this member in this scenario.
What I mentioned "user can share the dashboard with Office 365 distribution group" is that . And I have tested in lab about add Office 365 security group as a member of RLS role and it's working.
Best Regards,
Qiuyun Yu
@v-qiuyu-msft, thanks for your reply. I understand what you have described, and have tested it. But it means that I have to create two separate groups to control the users' access - one to control whether they can see and/or edit rports and dashboards, and another to control what they can see. That means I've got to set up manual procedures to make sure I keep these two groups in sync, etc. - or purchase (or write) some software to do the synchronization for me.
What I am looking for is a way to do this with a single group. For example, if I add james.smith to the the HelpDesk group then the following should happen:
As it stands now, unless I am missing something, I have to set up one kind of group (an Office365 group) to do the first two, and another kind of group (a security group) to do the last item. And that will be a big administrative headache.
Am I missing something? Is there a way to accomplish this? It seems ludicrous to force different groups for the different aspects of controlling access. I have submitted an "idea" to make these two areas consistent - that is, to allow either type of group to be used for both types of access. That way, I can still use two groups if I want to but I can use a single group if that makes sense, and ease the administrative work required to maintain the group and its reports and dashboards. Being able to use a single group will also limit the number of groups we need to have, which will further increase sharing of the reports and dashboards - and information.
But I'm hoping I have simply missed something, and someone can show me how to get this done. Is there any way to use a single group?
Thanks,
Sam
Hi @SamTrexler,
Do you mean the HelpDesk group is a Office 365 group?
Do you mean the group of "Admin of the group" is Power BI group or Office 365 group?
In a Power BI group, the member who can edit the report or is owner of the dataset, RLS is not applied for this user.
In your scenario, if you create a Power BI group, and set a member as group admin, the user can share the dashboard with Office 365 distribution group, and he can also edit dashboards, reports and datasets with the group. But at the same time, RLS settings set for datasets within this Power BI group will not applied for this user.
Best Regards,
Qiuyun Yu
@v-qiuyu-msft, thanks for the reply and confirmation. If I understand you correctly, the Power BI group will control access to the reports and dashboards, but has nothing to do with RLS. RLS has to be defined and managed separately, and separate groups set up for that if needed. Is that right?
Also, could you clarify for me your statement that "if you create a Power BI group, and set a member as group admin, the user can share the dashboard with Office 365 distribution group" (emphasis mine)? According to my security admin, "The only groups available in AD are office 365 groups, distribution, dynamic distribution, security and universal." Which type(s) of groups are you referring to with these two phrases? My testing isn't working as expected, so I need to know which types of groups work for this.
Thanks for your help.
Sam
Hi @SamTrexler,
1. "If I understand you correctly, the Power BI group will control access to the reports and dashboards, but has nothing to do with RLS. RLS has to be defined and managed separately, and separate groups set up for that if needed. Is that right?"
Yes, you are correct. Power BI group and RLS are different features, they are configured separately.
2. could you clarify for me your statement that "if you create a Power BI group, and set a member as group admin, the user can share the dashboard with Office 365 distribution group" (emphasis mine)? According to my security admin, "The only groups available in AD are office 365 groups, distribution, dynamic distribution, security and universal." Which type(s) of groups are you referring to with these two phrases? My testing isn't working as expected, so I need to know which types of groups work for this.
AS you said "If make make him an Admin of the group, he can edit the reports shared with the HelpDesk group; and", I assume the member is a admin of the Power BI group, and explain the RLS is not applied for this member in this scenario.
What I mentioned "user can share the dashboard with Office 365 distribution group" is that . And I have tested in lab about add Office 365 security group as a member of RLS role and it's working.
Best Regards,
Qiuyun Yu
So have you gotten this to work with Dynamic Distribution Groups?
Hi,
I have created one Group on Power BI which name is powerbi_testrls which have read access only as mentioned.
I've created a rôle which name is User US which implement row level security.
When I click on my dataset > security, I see all my organisation emails but I don't see my Power BI Group.
Hi,
I have 5 roles ,Role-1 , Role-2 , Role-3,Role-4,Role-5.
On power Bi , I had added emails on particular Roles group , I have multiple user for Support , and these users have all groups access , How Can I manage all roles in Power Bi , or How Can I create Support Role group in Power Bi desktop,
I have One table RoleGroup
Role_Code | Role_Name |
1 | Role-1 |
2 | Role-2 |
3 | Role-3 |
4 | Role-4 |
5 | Role-5 |
and In Power BI desktop I had assign Each role = [Role_Code] = "1" or other values.
How Can I manage for Support Role = [Role_Code] in ("1","2","3","4","5")
Please guide.
tthanks
vilas jadhav
Hi @SamTrexler,
In Power BI Service, RLS is used for restricting data access for given users, while the group workspace is used for restricting group members to view or edit group content.
But we can use those two features at the same time. We can use RLS feature for a dataset which is stored in a Power BI group workspace. But the roles will be applied to read-only members. So in a group, we need to specify the member which added under roles only can view content like below:
If you have any question, please feel free to ask.
Best Regards,
Qiuyun Yu
Check out the September 2024 Power BI update to learn about new features.
Learn from experts, get hands-on experience, and win awesome prizes.