Skip to main content
cancel
Showing results for 
Search instead for 
Did you mean: 

Find everything you need to get certified on Fabric—skills challenges, live sessions, exam prep, role guidance, and more. Get started

Reply
vaibhav_osc
Helper I
Helper I

Row level security using AD groups

Currently I have RLS applied on my model allowing users to access certain level of access based on a mapping table I have maintained. My mapping table is of the the below schema storing the UPNs of users and their level of access:

UserLevel of access
ARegion
BCountry
CCountry
DCity
ERegion

Now, it works fine for all the users but everytime a new user needs access I have to modify this table.

I wanted to hence change this table to the below schema so I dont need to modify the table and adding the user to the group would be enough.

GroupLevel of access
ARegion
BCountry
CCity

Any idea how I could link the logged in user with the groups or get the group through which the user has access to the dashboard while applying RLS in the model?

1 ACCEPTED SOLUTION
v-sihou-msft
Microsoft Employee
Microsoft Employee

@vaibhav_osc

 

On Power BI Service, you can add security group as member of a role. See: Row-level security (RLS) with Power BI

 

In this scenario, you can create security groups on O365 admin center: Create, edit, or delete a security group in the Office 365 admin center. Then add all users into corresponding security group. Now you will not need that "mapping" table in your model.

 

Regards,

View solution in original post

6 REPLIES 6
DerekLedbetter
Frequent Visitor

Any documentation?  I have a vendor wanting to build an AD Group and then use RLS to provide what can and can't be seen in the application.

 

We build an AD group.  I believe in is pushed to the Azure AD.  Will that be sufficient?  What else is needed?

v-sihou-msft
Microsoft Employee
Microsoft Employee

@vaibhav_osc

 

On Power BI Service, you can add security group as member of a role. See: Row-level security (RLS) with Power BI

 

In this scenario, you can create security groups on O365 admin center: Create, edit, or delete a security group in the Office 365 admin center. Then add all users into corresponding security group. Now you will not need that "mapping" table in your model.

 

Regards,

Please note from the link that Office 365 groups are not supported. 

CynHuallanca_0-1676490265471.png

https://learn.microsoft.com/en-us/power-bi/enterprise/service-admin-rls

 

Anonymous
Not applicable

Is it possible to split members of an AD Group into separate RLS roles? I have an AD Group called PBI-Expense with 10 members, say A-J.  Then I have 2 RLS roles - Dept1 and Dept2.  Can I share the report to the PBI-Expnse AD group and then for RLS add members A-E to Dept1 role and F-J to Dept2 role?

 

The idea is I want to share reports to large groups by sharing to AD groups.  But then for RLS, I want to be able to assign individual members to different roles instead of the whole group to a single role.

 

Any ideas on how to do this?

 

 

Thanks,

 

Ferdinand

Anonymous
Not applicable

Just finished testing and was able to confirm that individual members of an AD group can be assigned to different RLS roles.  Sharing to the AD group gives members access to the report but the RLS role an individual is assigned is what determines what data the user sees.

Anonymous
Not applicable

How do i achieve this?. Any documentation available?. 

Helpful resources

Announcements
September Hackathon Carousel

Microsoft Fabric & AI Learning Hackathon

Learn from experts, get hands-on experience, and win awesome prizes.

Top Solution Authors