Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Register now to learn Fabric in free live sessions led by the best Microsoft experts. From Apr 16 to May 9, in English and Spanish.

Reply
bcap01
Helper II
Helper II

PBI - Row Level Security for different user types

‎12-09-2022 09:19 AM

Hello,  

I was able to create RLS for users so that the user logged on can only see their data when on a report.  I did this by using the following code snippet:

 

[email] = userprincipalname()

 

However, depending on the user, I would like to make it so the USer can see ALL data.  How is this possible?

 

For example:

 

IF Email ="johnDoe@test,com" or "JaneDoe@test.com'

THEN "See all users data"

ELSE

"See my data only"

END

 

 

Message 1 of 11
1,247 Views
0
1 ACCEPTED SOLUTION
AnastasiaS
Resolver I
Resolver I

‎12-09-2022 10:11 AM

Hello @bcap01 

 

You can define user access in Power BI service.

 

Let's suppose that you defined 2 roles in Power BI desktop:

Director : global user who sees everything; you can use the "true()" function in the "Dax expression" tab

Salesperson: users who only see their data; for this one you have [email] = userprincipalname()

 

Publish the report and then, go to the "..." option of your dataset ->  Security

AnastasiaS_0-1670609317516.png

 

and then specify the e-mail adresses or security groups for each role:

AnastasiaS_1-1670609375579.png

once the persons added, you can click on "..." near the role and "Test as role":

AnastasiaS_2-1670609415414.png

 

You'll be able to test as a specific person by providing its e-mail.

AnastasiaS_3-1670609443031.png

 

Can you try to do that?

Don't hesitate if smth's not clear.

 

Regards,

View solution in original post

Message 2 of 11
1,195 Views
0
10 REPLIES 10
Mikelytics
Resident Rockstar
Resident Rockstar

‎12-09-2022 12:32 PM

Hi @bcap01 

 

based on your description the approach I provided you should work. But to help you more I need the following indformation:

- date model picture with relevant tables and columns

- roles created incl. the rules per role

- people assigned to the rrole (can also be person a, person b person c etc.)

- expected behaviour vs. actual behaviour

 

Best regards

Michael

Best regards

Michael

-----------------------------------------------------

If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

Appreciate your thumbs up!

@ me in replies or I'll lose your thread.

-----------------------------------------------------

LinkedIn

------------------------------------------------------------------
Visit my blog datenhungrig which I recently started with content about business intelligence and Power BI in German and English or follow me on LinkedIn!
Message 11 of 11
1,176 Views
0
Mikelytics
Resident Rockstar
Resident Rockstar

‎12-09-2022 11:20 AM

Hi @bcap01,

 

From my understanding you created a role (lets call it role A). In role A you already defined the rule

 

[email] = userprincipalname()

 

and you also already assigned people to this role in the Power BI service so that they can only see the data which they are allowed to, correct?

 

Now you want additionally to give specific people the ability to see all data independent from their e-mail address. You can achive this by the following steps:

 

1. Please create a second role (we call it role B)  in Power BI Desktop

2. in role B please do not put in any rules

3. Now again publish your report to the service

4. now assign all people to role B which shall see all data.

 

Result: Now all people assigned to role be should see all data.

 

Best regards

Michael

-----------------------------------------------------

If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

Appreciate your thumbs up!

@ me in replies or I'll lose your thread.

-----------------------------------------------------

LinkedIn

------------------------------------------------------------------
Visit my blog datenhungrig which I recently started with content about business intelligence and Power BI in German and English or follow me on LinkedIn!
Message 9 of 11
1,187 Views
0
bcap01
Helper II
Helper II
In response to Mikelytics

‎12-14-2022 12:42 PM

Hi,  For some reason my Roles seem to work in PowerBI Desktop, but when  I Publish to Power BI Service, I assign users to the Two Roles, but in each case all data is being returned. 

 

For example, "Leadership" is intended to see ALL data.  "Staff" is intended to see their data only.  "Leadership" and "Staff" for some reason both see all data.  I have assigned folks to each group via PowerBI Service.

 

Is there anything at the Power BI Service level or Desktop that I may need to configure?

 

 

 

Message 10 of 11
1,107 Views
0
AnastasiaS
Resolver I
Resolver I

‎12-09-2022 10:11 AM

Hello @bcap01 

 

You can define user access in Power BI service.

 

Let's suppose that you defined 2 roles in Power BI desktop:

Director : global user who sees everything; you can use the "true()" function in the "Dax expression" tab

Salesperson: users who only see their data; for this one you have [email] = userprincipalname()

 

Publish the report and then, go to the "..." option of your dataset ->  Security

AnastasiaS_0-1670609317516.png

 

and then specify the e-mail adresses or security groups for each role:

AnastasiaS_1-1670609375579.png

once the persons added, you can click on "..." near the role and "Test as role":

AnastasiaS_2-1670609415414.png

 

You'll be able to test as a specific person by providing its e-mail.

AnastasiaS_3-1670609443031.png

 

Can you try to do that?

Don't hesitate if smth's not clear.

 

Regards,

Message 2 of 11
1,196 Views
0
bcap01
Helper II
Helper II
In response to AnastasiaS

‎12-09-2022 12:29 PM

Many thanks!  I have taken these steps, and what is strange is that it seems to generally work in Desktop, but then when I publish, the "Staff" level will show ALL data for the Staff member instead of just the data that applies to that stuff member.  "Director" level shows all data as expected.

Message 3 of 11
1,179 Views
0
AnastasiaS
Resolver I
Resolver I
In response to bcap01

‎12-11-2022 01:28 AM

Hi @bcap01 

Can you try to test directly as "staff role"? without providing a person e-mail.

AnastasiaS_0-1670750571765.png

This is to check if there is the difference between the staff & director roles in terms of data.

 

Per info, there are cases when the RLS won't work. For example, when the specified person is an Admin, Member or Contributor of the workspace. Can you check the workspace access and identify the tested "staff member" permission?

 

Regards,

 

Message 4 of 11
1,152 Views
0
bcap01
Helper II
Helper II
In response to AnastasiaS

‎12-14-2022 06:54 AM

Actually, I am finding that the RLS Secuirty works when I do the "Test as ..."  in Power BI Service.  However, when I have users test they are able to see everything as if they are a :Director" even if I have set them to "Staff".  Is there another place I need to configure this to make Security work?

Message 8 of 11
1,115 Views
0
bcap01
Helper II
Helper II
In response to AnastasiaS

‎12-13-2022 08:01 AM

Hi, 

 

Using my email which is ADMIN:

 

Staff Role - No data results return

Director Role -  All data results return

 

Viewing as another user ... when attempting to View the Staff role as another user the data results come up as "BLANK".  The expectation is that the data results would show for the specied user only. 

 

Are you saying this will not work becuase I am logged in as myself? Is there a way I can View another user in BI Service like I can in the PBI Desktop version?

Message 5 of 11
1,126 Views
0
AnastasiaS
Resolver I
Resolver I
In response to bcap01

‎12-18-2022 11:44 PM

Hey @bcap01 

Normally if the RLS was set up correctly the steps you mention should work.

 

It is difficult to say what is missing without having access to the data & tool.

 

Let's try to gather all infos to make a last check.

 

Could you please, if possible, attach the following screenshots (of course by replacing real names with fictive data; just please keep consistency when replacing them to have a clear idea of how, for example, user A is set).

1. RLS in Power BI desktop where we have the 2 roles + the dax definitions for both

2. Security set in Power BI service. With the 2 roles and the memberships (by replacing real names with fictive data, as long as we have same examples everywhere).

3. Workspace membership. Do the users added to the RLS have access to the Workspace, and which access do they have? admin, contributor, viewer?

This can be viewed by going to the access option within the workspace : 

AnastasiaS_0-1671435824085.png

 

4. Are we sure that users use the right accounts to connect? could there be a difference between the "test as" account and the person signing in? (eg external accounts..)

 

Could you also precise what is the datasource for your report? database, files, cubes...

 

Thanks in advance and hope that we'll find the mistery behind this issue!

 

Regards,

 

 

 

Message 6 of 11
1,094 Views
0
bcap01
Helper II
Helper II
In response to AnastasiaS

‎12-19-2022 07:51 AM

@AnastasiaS I think I figured out the problem.  I had my report in "Public Channels", I created a new directory and added my project to it and seems to be working.  Many thanks for your help!

Message 7 of 11
1,086 Views
0

Helpful resources

Announcements
Microsoft Fabric Learn Together

Microsoft Fabric Learn Together

Covering the world! 9:00-10:30 AM Sydney, 4:00-5:30 PM CET (Paris/Berlin), 7:00-8:30 PM Mexico City

PBI_APRIL_CAROUSEL1

Power BI Monthly Update - April 2024

Check out the April 2024 Power BI update to learn about new features.

April Fabric Community Update

Fabric Community Update - April 2024

Find out what's new and trending in the Fabric Community.

View All