Skip to main content
cancel
Showing results for 
Search instead for 
Did you mean: 

Register now to learn Fabric in free live sessions led by the best Microsoft experts. From Apr 16 to May 9, in English and Spanish.

Reply
omacoder
Helper II
Helper II

Role Security in a Model - Mix depending on workspace/report

If I have role security defined in a model, is it possible to:

 

  • have 1 report utilize the role security, and
  • have 1 report not utilize the role security

 

Scenario: 

We're in the business of processing files through a workflow.

I want several reports that go down to the file detail and utilizes the role security so each processor can see the detail on their files,

but I also want several "high level" count reports showing file counts in the different stages of the life cycle. However, I want everyone to see these high level counts.

 

Also, I'd like to only have to manage 1 model.

 

Feasible?

Or do I need two models: 

     one to handle the detail reports with assigned role security in PowerBI Service,

     and one with no roles in the model?

 

9 REPLIES 9
dobregon
Impactful Individual
Impactful Individual

Hi @omacoder 

If i'm understanding well, you have a model and from that model you want to have different reports, ones with RLS and others with no RLS.

 

Something that you can do is to create one general report with the general model with all the measures necessariess and then you can create 2 reports that take the dataset from this general model (upload the general model to the powerbiservice and connect to that model in the 2 reports), one report you can create the sheets with details and RLS and the other with General info without RLS.

Then if it is more easy for you, you can create in your azure (if you have) a distribution list (thhat it is more ease to manage who can access to the report) and then share as readers the report to the distribution list.

 

The people as readers will be affected by the RLS and the admins or editors in the workspace (normally should be internal people of your company) will not be affected to the RLS.



Did I answer your question? Mark my post as a solution! Appreciate with a Kudos!! (Click the Thumbs Up Button)

@v-jayw-msft , I'm not going to maintain two exact copies of the same very detailed model. This is a developers nightmare.

 

@dobregon yes, you are understanding. We have one large very complex model. That model has roles defined for RLS. The model is published to the service and the model contains ZERO reports.

Developers and report writers then create reports off of this model, all in Service. Utilizing the shared and certified model / dataset.   Some of these reports that get created NEED to have the RLS applied. However, some of these reports also need to BYPASS the RLS because these are regional managers who need to see 100% of the content. I'm not clear on your proposal on how we would implement this?

Anonymous
Not applicable

@omacoder  RLS is an all or nothing deal.  The "contributer" exception is the only bypass, which is done for the necessity of development.

 

Creating a superuser role is the best work around here, which is generally what i do with Azure SSAS models where RLS is enforced.  In Azure i can add Active Directory Security Groups to the role, which helps me manage access.  I've not tried using these groups in RLS specifically, but they do work in Workspace and App permissions, so i'd have some confidence it could work in there too.

v-jayw-msft
Community Support
Community Support

Hi @omacoder ,

 

RLS is based on data not report. That's why RLS is only effective for the users who don't have the right to edit underlying data(Viewer). So basically, yes, you need two models.

 

Best Regards,

Jay

Community Support Team _ Jay Wang

If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

Community Support Team _ Jay
If this post helps, then please consider Accept it as the solution
to help the other members find it.
Anonymous
Not applicable

Once Row Level security is on, every user must have 1 or more roles in order to see anything.

 

You can create a SuperUser role, which has access to everything and assign people to that role.

Also... per https://docs.microsoft.com/en-us/power-bi/service-admin-rls

It is possible that the RLS role doesn't get applied when members have "Edit" permissions.

However, it is not clear what classifies an "Edit" permission in a workspace or app??

This information isn't completely correct... I have users who can see everything, and they are assigned to zero roles in PowerBI Service.

 

They may be specified as a workspace admin -- but, they can still see everything in the model...?

 

Anonymous
Not applicable

Workspace admins are developers with the highest access, for the purpose of Power BI.  They are an exception to the rule.  If you are creating reports for people to use, they shouldn't be admins.  Report consumers have security applied to them.

Anonymous
Not applicable

The same goes for  "Edit" permissions.  Edit permissions is to mark someone as a developer, which is why some of the RLS doesn't apply.  When releasing reports to users, they aren't developers and need to fall under standard security.

Helpful resources

Announcements
Microsoft Fabric Learn Together

Microsoft Fabric Learn Together

Covering the world! 9:00-10:30 AM Sydney, 4:00-5:30 PM CET (Paris/Berlin), 7:00-8:30 PM Mexico City

PBI_APRIL_CAROUSEL1

Power BI Monthly Update - April 2024

Check out the April 2024 Power BI update to learn about new features.

April Fabric Community Update

Fabric Community Update - April 2024

Find out what's new and trending in the Fabric Community.

Top Solution Authors
Top Kudoed Authors