Solved: Updating RLS Security in Service when publishing

ZR3036 · ‎04-26-2024

I have a PBI report I publish monthly - up to this point it has been multiple reports for different groups. I am trying to use RLS to publish one report that will allow views based on roles.

I have gotten the RLS to work in Desktop the way that I want, with 8 different roles that all work as intended when using the "View As' in modeling.

The access list is updated and sent to me monthly, with employee names/emails/roles. I have created a linked table in the report that updates on a data refresh, this table has a many to one with a Roles table I created that links to the relevant data tables.

Going through the RLS instructional pages, I can see how to go into security in Service. After publishing, I can see all the roles I created in Service. However, individually updating each email monthly would be very time consuming.

Since the only people who can access this report are members of a workspace, and their emails/names are listed, how do I update the RLS in service via the linked table when I publish the report?

TomMartens · ‎04-27-2024

Hey @ZR3036 ,

unfortunately, what you are looking for is not possible. In Power BI Desktop you define the rules for the roles (the DAX statement), even if you have a table of users (the email address, or being more precise - the userprincipalname). it's not possible. You can not use Power BI Desktop to alter the membership of the roles.

I recommend using Azure Active Directory security groups (now known as Azure Entra ID security groups), add these security groups to the roles instead of individuals. Still you need to figure out how to properly assign the individuals to the security groups.

Please be aware that Row Level Security does not apply if the workspace is same that hosts the semantic model and also hosts the members, the only exception, meaning RLS will be honored is the situation when the members have the Viewer workspace role assigned.
It's always a good practic to share Power BI apps among users instead of adding users to the workspace.

Hopefully, this helps to tackle your challenge.

Regards,

Tom

Did I answer your question? Mark my post as a solution, this will help others!

Proud to be a Super User!
I accept Kudos 😉
Hamburg, Germany

View solution in original post

TomMartens · ‎04-27-2024

Hey @ZR3036 ,

unfortunately, what you are looking for is not possible. In Power BI Desktop you define the rules for the roles (the DAX statement), even if you have a table of users (the email address, or being more precise - the userprincipalname). it's not possible. You can not use Power BI Desktop to alter the membership of the roles.

I recommend using Azure Active Directory security groups (now known as Azure Entra ID security groups), add these security groups to the roles instead of individuals. Still you need to figure out how to properly assign the individuals to the security groups.

Please be aware that Row Level Security does not apply if the workspace is same that hosts the semantic model and also hosts the members, the only exception, meaning RLS will be honored is the situation when the members have the Viewer workspace role assigned.
It's always a good practic to share Power BI apps among users instead of adding users to the workspace.

Hopefully, this helps to tackle your challenge.

Regards,

Tom

Did I answer your question? Mark my post as a solution, this will help others!

Proud to be a Super User!
I accept Kudos 😉
Hamburg, Germany

ZR3036 · ‎04-29-2024

Thank you for the reply, Tom.

Using Azure Entra ID Security Groups is what I'm looking at doing currently, it makes sense Desktop could not alter roles in Service in a workspace. Would that make the roles table I have in the report pointless since I already restricted data views with Manage Role rules in PBI Desktop?

Updating RLS Security in Service when publishing

Helpful resources

Microsoft Fabric Learn Together

Power BI Monthly Update - April 2024

Fabric Community Update - April 2024