Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Register now to learn Fabric in free live sessions led by the best Microsoft experts. From Apr 16 to May 9, in English and Spanish.

Reply
WByrne
Regular Visitor

Another RLS question - default roles

‎11-25-2021 03:25 AM

I am trying to figure out the default behaviour when a user is not assigned a role using row level security. I've read through many articles/questions and watched videos but none seem to address the problem I am seeing. 

 

I have a report with many pages, there is only one page that contains data from one dataset that I would like to restrict access to. I want to restrict access to all data from that table for all users unless they are assigned to a role. To do this I created a dummy column called 'Type' in the dataset and filled it with the value 'Manager'. I then created a role called 'Managers' on my table that had the simple DAX expression:

 

[Type] = "Manager"

 

 

I published the report in my personal workspace and shared it with a couple of colleagues to test. I gave some colleagues the role manager and gave others no role. I made sure that when sharing that those colleagues had the minimum possible permissions i.e. they could only view the  report.

 

What I expected:

I expected my collleagues who had not been assigned a role to be unable to view the data in the tab where I had set up a role. I expected colleagues assigned a role to be able to see the data in that tab. 

 

What actually happened:

The colleagues who were not assigned a role could still see the data in the tab where I had implemented the role Managers. This meant that the default role was to be able to view all of the data (not what I wanted)

 

A possible solution:

One solution was to create another role called Other Users and assign this the expression 

 

[Type] <> "Manager"

 

 

The above is a flawed approach though, it would mean I have to assign every single viewer of the report a role, or they will be able to see data I don't want them to. Surely Power BI has already solved this problem of having a default role? Does anyone have any suggestions?

Labels:
Message 1 of 9
6,464 Views
0
1 ACCEPTED SOLUTION
m3tr01d
Continued Contributor
Continued Contributor
In response to WByrne

‎11-28-2021 07:32 AM

@WByrne 

First, people who have access to the Workspace with either Collaborator/Member role will always see all the data of the datasets in the Workspace. In that sense, people who would only consume reports shouldn't be part of the workspace as Collaborator/Member. 

 

If you share a report with someone that is not collaborator/member of your workspace AND you added role for RLS in the underlying dataset of the report, they need to belong to one of the role.
Normally, you would create a blank role No_RLS and the role doesn't filter anything.

Then you will create an AD group for the people that should belong in this role and you can assign this group to the role when you configure security on the Dataset.

 

If the user doesn't belong to any role, he will automatically receive an error message about not being able to access/view the data.

View solution in original post

Message 5 of 9
6,284 Views
8 REPLIES 8
WByrne
Regular Visitor

‎11-27-2021 01:16 AM

I appreciate your response, but I have already read through that documentation (and lots more on RLS) before posting and it's not helpful to trying to understand why my use does not work. In addition, all those I asked to test were only Viewers (as I explained in my original post), which by the link you posted says RLS should apply. However it was only applied to those with a role assigned. Why were people with no role allowed to see ALL data, the concept doesn't make sense. If you want to restrict data there has to be some kind of default view, no? Else you run the risk of not assigning a role to someone and they can access data they shouldn't be able to

Message 3 of 9
6,363 Views
0
m3tr01d
Continued Contributor
Continued Contributor
In response to WByrne

‎11-28-2021 07:32 AM

@WByrne 

First, people who have access to the Workspace with either Collaborator/Member role will always see all the data of the datasets in the Workspace. In that sense, people who would only consume reports shouldn't be part of the workspace as Collaborator/Member. 

 

If you share a report with someone that is not collaborator/member of your workspace AND you added role for RLS in the underlying dataset of the report, they need to belong to one of the role.
Normally, you would create a blank role No_RLS and the role doesn't filter anything.

Then you will create an AD group for the people that should belong in this role and you can assign this group to the role when you configure security on the Dataset.

 

If the user doesn't belong to any role, he will automatically receive an error message about not being able to access/view the data.

Message 5 of 9
6,285 Views
ArturoPalacios
Frequent Visitor
In response to m3tr01d

‎11-29-2023 09:02 AM

Hi.

 

How could I create a blank role???

 

Thanks in advance

Message 8 of 9
1,695 Views
0
lbendlin
Super User
Super User
In response to ArturoPalacios

‎11-29-2023 10:57 AM

Make it return TRUE()

Message 9 of 9
1,686 Views
0
WByrne
Regular Visitor
In response to m3tr01d

‎12-02-2021 01:54 AM

Thanks for this extra info, I think this nearly resolves my question. Just to clarify, by AD you mean Active Directory in Azure, right? It's been surprisingly diffficult to find this info anywhere online, most resources seem to gloss over these finer details 

Message 6 of 9
6,255 Views
0
m3tr01d
Continued Contributor
Continued Contributor
In response to WByrne

‎12-02-2021 04:50 AM

Yes, Active Directory in Azure

Message 7 of 9
6,237 Views
0
lbendlin
Super User
Super User
In response to WByrne

‎11-27-2021 04:47 AM

That's actually what happens in a premium environment. Users will be presented with an error message that access is denied because they are not member of any role.

Message 4 of 9
6,342 Views
0
lbendlin
Super User
Super User

‎11-26-2021 10:18 AM

Not sure if your test environment is adequate.  There are quite a few things to consider, like this here:

 

Row-level security (RLS) with Power BI - Power BI | Microsoft Docs

Message 2 of 9
6,392 Views
0

Helpful resources

Announcements
Microsoft Fabric Learn Together

Microsoft Fabric Learn Together

Covering the world! 9:00-10:30 AM Sydney, 4:00-5:30 PM CET (Paris/Berlin), 7:00-8:30 PM Mexico City

PBI_APRIL_CAROUSEL1

Power BI Monthly Update - April 2024

Check out the April 2024 Power BI update to learn about new features.

April Fabric Community Update

Fabric Community Update - April 2024

Find out what's new and trending in the Fabric Community.

View All