RLS with Multiple Reports using Shared Dataset

Anonymous · ‎05-07-2020

Hi All,

Ever since the new workspace experience went GA my team and I have been big fans of the shared dataset feature. We've been working to replace disparate reports that are replicating the same data over and over to shared datasets that ensure consistency and leave less to maintain.

I've encountered an issue with two reports. For context, I'm an analyst in the technical support division of a software company. Support data is considered confidential when any personal identifiable information (PII) is present (such as a name, email, phone or ID) but not when it's based on non-PII like product name or version.

Report "One" sits in one app and presents support data based on each agent that owned it in technical support. Only agents and their managers have access, and there is RLS that only allows agents to see their own data and managers can only see their direct reports.

Report "Two" sits in another app and contains the same support data, however it is presented based on product, has no reference to the person who handled it. Everyone in the company can see this data since it has no PII.

The underlying datasets in both are identical and massive. However, I encounter an issue with RLS. There is one rule for restrictive RLS in report ONE and another with no RLS. There are users who exist in both apps but because I can't identify what app the user is accessing I can't prevent both rules from triggering when a user is logged in.

Any ideas on how to overcome this?

Here is the error that is being encountered:

error message

Here is a simplified representation of my data model:

sample data model

Anonymous · ‎05-08-2020

Hey @GilbertQ ,

Unfortunately adding the all the users to the workspace isn't feasble for us. The app contains 1,000+ users that we don't want in the workspace where developers have files in development (not yet ready for publication in the app).

But for a test, I attempted to do so and both rules still triggered.

v-xicai · ‎05-08-2020

Hi @Anonymous ,

Currently, RLS set for one shared dataset will take effect for all the related reports. It is not supported to set more than one security access for one shared dataset in Power BI currently. While your demand is a good idea , and you can post your new idea in Idea Forum , add your comments there to improve Power BI and make this feature coming sooner.

Best Regards,

Amy

Community Support Team _ Amy

If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

Anonymous · ‎05-08-2020

Hey @v-xicai ,

Thanks for looking into it! Unfortunately it doesn't seem like this is possible with the current version. It would be nice if I could apply a metadata field for what app the user is currently logged into like userprincipalname(). With shared datasets I see multi-app deployments being more common.

Alternatively, if PowerBI had column based security (like Tableau has for many years) this wouldn't be an issue. I could simply apply rules to individual columns based on role, making some "general use" and others more restrictive"

It looks like that 2nd idea already exists, I'm going to vote for that idea here

GilbertQ · ‎05-07-2020

Hi there

It would appear that this is because the RLS is being defined at the dataset level.

What if you had to add the users in the second app as members to the app workspace?

This would then overwrite the RLS in the second app and allow them to then see all the data?

Did I answer your question? Mark my post as a solution!

Proud to be a Super User!

Power BI Blog

RLS with Multiple Reports using Shared Dataset

Helpful resources

Power BI Monthly Update - November 2023

Fabric Community News unified experience

Exclusive opportunity for Women!

The largest Power BI and Fabric virtual conference