Skip to main content
cancel
Showing results for 
Search instead for 
Did you mean: 

Earn the coveted Fabric Analytics Engineer certification. 100% off your exam for a limited time only!

Reply
vaibhav_osc
Helper I
Helper I

Row level security using AD groups

Currently I have RLS applied on my model allowing users to access certain level of access based on a mapping table I have maintained. My mapping table is of the the below schema storing the UPNs of users and their level of access:

UserLevel of access
ARegion
BCountry
CCountry
DCity
ERegion

Now, it works fine for all the users but everytime a new user needs access I have to modify this table.

I wanted to hence change this table to the below schema so I dont need to modify the table and adding the user to the group would be enough.

GroupLevel of access
ARegion
BCountry
CCity

Any idea how I could link the logged in user with the groups or get the group through which the user has access to the dashboard while applying RLS in the model?

1 ACCEPTED SOLUTION
v-sihou-msft
Employee
Employee

@vaibhav_osc

 

On Power BI Service, you can add security group as member of a role. See: Row-level security (RLS) with Power BI

 

In this scenario, you can create security groups on O365 admin center: Create, edit, or delete a security group in the Office 365 admin center. Then add all users into corresponding security group. Now you will not need that "mapping" table in your model.

 

Regards,

View solution in original post

6 REPLIES 6
DerekLedbetter
Regular Visitor

Any documentation?  I have a vendor wanting to build an AD Group and then use RLS to provide what can and can't be seen in the application.

 

We build an AD group.  I believe in is pushed to the Azure AD.  Will that be sufficient?  What else is needed?

v-sihou-msft
Employee
Employee

@vaibhav_osc

 

On Power BI Service, you can add security group as member of a role. See: Row-level security (RLS) with Power BI

 

In this scenario, you can create security groups on O365 admin center: Create, edit, or delete a security group in the Office 365 admin center. Then add all users into corresponding security group. Now you will not need that "mapping" table in your model.

 

Regards,

Please note from the link that Office 365 groups are not supported. 

CynHuallanca_0-1676490265471.png

https://learn.microsoft.com/en-us/power-bi/enterprise/service-admin-rls

 

Anonymous
Not applicable

Is it possible to split members of an AD Group into separate RLS roles? I have an AD Group called PBI-Expense with 10 members, say A-J.  Then I have 2 RLS roles - Dept1 and Dept2.  Can I share the report to the PBI-Expnse AD group and then for RLS add members A-E to Dept1 role and F-J to Dept2 role?

 

The idea is I want to share reports to large groups by sharing to AD groups.  But then for RLS, I want to be able to assign individual members to different roles instead of the whole group to a single role.

 

Any ideas on how to do this?

 

 

Thanks,

 

Ferdinand

Anonymous
Not applicable

Just finished testing and was able to confirm that individual members of an AD group can be assigned to different RLS roles.  Sharing to the AD group gives members access to the report but the RLS role an individual is assigned is what determines what data the user sees.

How do i achieve this?. Any documentation available?. 

Helpful resources

Announcements
April AMA free

Microsoft Fabric AMA Livestream

Join us Tuesday, April 09, 9:00 – 10:00 AM PST for a live, expert-led Q&A session on all things Microsoft Fabric!

March Fabric Community Update

Fabric Community Update - March 2024

Find out what's new and trending in the Fabric Community.

Top Solution Authors
Top Kudoed Authors