Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Microsoft is giving away 50,000 FREE Microsoft Certification exam vouchers. Get Fabric certified for FREE! Learn more

Reply
omacoder
Helper II
Helper II

Role Security in a Model - Mix depending on workspace/report

‎01-29-2020 07:39 PM

If I have role security defined in a model, is it possible to:

 

  • have 1 report utilize the role security, and
  • have 1 report not utilize the role security

 

Scenario: 

We're in the business of processing files through a workflow.

I want several reports that go down to the file detail and utilizes the role security so each processor can see the detail on their files,

but I also want several "high level" count reports showing file counts in the different stages of the life cycle. However, I want everyone to see these high level counts.

 

Also, I'd like to only have to manage 1 model.

 

Feasible?

Or do I need two models: 

     one to handle the detail reports with assigned role security in PowerBI Service,

     and one with no roles in the model?

 

Labels:
Message 1 of 10
722 Views
0
9 REPLIES 9
dobregon
Impactful Individual
Impactful Individual

‎01-31-2020 01:34 AM

Hi @omacoder 

If i'm understanding well, you have a model and from that model you want to have different reports, ones with RLS and others with no RLS.

 

Something that you can do is to create one general report with the general model with all the measures necessariess and then you can create 2 reports that take the dataset from this general model (upload the general model to the powerbiservice and connect to that model in the 2 reports), one report you can create the sheets with details and RLS and the other with General info without RLS.

Then if it is more easy for you, you can create in your azure (if you have) a distribution list (thhat it is more ease to manage who can access to the report) and then share as readers the report to the distribution list.

 

The people as readers will be affected by the RLS and the admins or editors in the workspace (normally should be internal people of your company) will not be affected to the RLS.



Did I answer your question? Mark my post as a solution! Appreciate with a Kudos!! (Click the Thumbs Up Button)
Message 8 of 10
650 Views
0
omacoder
Helper II
Helper II
In response to dobregon

‎02-03-2020 09:09 PM

@v-jayw-msft , I'm not going to maintain two exact copies of the same very detailed model. This is a developers nightmare.

 

@dobregon yes, you are understanding. We have one large very complex model. That model has roles defined for RLS. The model is published to the service and the model contains ZERO reports.

Developers and report writers then create reports off of this model, all in Service. Utilizing the shared and certified model / dataset.   Some of these reports that get created NEED to have the RLS applied. However, some of these reports also need to BYPASS the RLS because these are regional managers who need to see 100% of the content. I'm not clear on your proposal on how we would implement this?

Message 9 of 10
628 Views
0
Anonymous
Not applicable
In response to omacoder

‎02-03-2020 09:13 PM

@omacoder  RLS is an all or nothing deal.  The "contributer" exception is the only bypass, which is done for the necessity of development.

 

Creating a superuser role is the best work around here, which is generally what i do with Azure SSAS models where RLS is enforced.  In Azure i can add Active Directory Security Groups to the role, which helps me manage access.  I've not tried using these groups in RLS specifically, but they do work in Workspace and App permissions, so i'd have some confidence it could work in there too.

Message 10 of 10
621 Views
0
v-jayw-msft
Community Support
Community Support

‎01-31-2020 12:00 AM

Hi @omacoder ,

 

RLS is based on data not report. That's why RLS is only effective for the users who don't have the right to edit underlying data(Viewer). So basically, yes, you need two models.

 

Best Regards,

Jay

Community Support Team _ Jay Wang

If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

Community Support Team _ Jay
If this post helps, then please consider Accept it as the solution to help the other members find it.
Message 7 of 10
654 Views
0
Anonymous
Not applicable

‎01-29-2020 09:07 PM

Once Row Level security is on, every user must have 1 or more roles in order to see anything.

 

You can create a SuperUser role, which has access to everything and assign people to that role.

Message 2 of 10
706 Views
0
omacoder
Helper II
Helper II
In response to Anonymous

‎01-29-2020 09:39 PM

Also... per https://docs.microsoft.com/en-us/power-bi/service-admin-rls

It is possible that the RLS role doesn't get applied when members have "Edit" permissions.

However, it is not clear what classifies an "Edit" permission in a workspace or app??

Message 6 of 10
700 Views
0
omacoder
Helper II
Helper II
In response to Anonymous

‎01-29-2020 09:30 PM

This information isn't completely correct... I have users who can see everything, and they are assigned to zero roles in PowerBI Service.

 

They may be specified as a workspace admin -- but, they can still see everything in the model...?

 

Message 3 of 10
703 Views
0
Anonymous
Not applicable
In response to omacoder

‎01-29-2020 09:52 PM

Workspace admins are developers with the highest access, for the purpose of Power BI.  They are an exception to the rule.  If you are creating reports for people to use, they shouldn't be admins.  Report consumers have security applied to them.

Message 4 of 10
696 Views
0
Anonymous
Not applicable
In response to Anonymous

‎01-29-2020 09:56 PM

The same goes for  "Edit" permissions.  Edit permissions is to mark someone as a developer, which is why some of the RLS doesn't apply.  When releasing reports to users, they aren't developers and need to fall under standard security.

Message 5 of 10
694 Views
0

Helpful resources

Announcements
PBIApril_Carousel

Power BI Monthly Update - April 2025

Check out the April 2025 Power BI update to learn about new features.

Notebook Gallery Carousel1

NEW! Community Notebooks Gallery

Explore and share Fabric Notebooks to boost Power BI insights in the new community notebooks gallery.

April2025 Carousel

Fabric Community Update - April 2025

Find out what's new and trending in the Fabric community.

View All
Top Solution Authors
View All