Skip to main content
cancel
Showing results for 
Search instead for 
Did you mean: 

Earn the coveted Fabric Analytics Engineer certification. 100% off your exam for a limited time only!

Reply
Anonymous
Not applicable

Question about Row Level Security (RLS)

Hello everyone,

 

I am trying to implement a basic RLS configuration on a report that my company shares with a client. Everyone on the client side can view the report with one exception. They have one contract user who should only be allowed to see a certain subset of the data. 

 

So, I created a group in PBI Desktop for this user with the proper filters. When I test it using "view as role" it works perfectly. Once published to the Service I added the contract user to that group and tested it again. No problems there. The error comes when one of the other client users (who should have full access) tries to view the report. They get an error message saying "This visual contains restricted data" on each visual. When I run a test for one of these users in the Service I can see this error as well.

 

Any ideas on what I am doing wrong? My goal is to have everyone access the report as they did before, with the exception of the contract user who is assigned to a group that filters their data.

 

Thanks!

1 ACCEPTED SOLUTION
jdbuchanan71
Super User
Super User

Hello @Anonymous 

Once you apply RLS to a model it applies to all users so what you need is a role with no filters then you add all the other users to that unrestricted role.  

View solution in original post

4 REPLIES 4
jdbuchanan71
Super User
Super User

Hello @Anonymous 

Once you apply RLS to a model it applies to all users so what you need is a role with no filters then you add all the other users to that unrestricted role.  

Anonymous
Not applicable

Ah ok. I thought it might be something like that. I was hoping to avoid having to manually add everyone else to a different group. I'm trying to wrap my head around dynamic RLS to see if that is an option, but I'm not sure that it makes sense in this case.

 

Anyway, thank you for the quick response!

One thing you can do is use active directory security groups to help with managing access.  If your network admins maintain security group by department lets say, you can share the report with the 'Accounting' security group and assign the 'Accounting' security group to the unrestricted role.  When a new person is hired, if they are added into the 'Accounting' security group, the report will already be shared with them and the RLS will be applied.  The same will work if a person in the company changes from one security group to another (assuming they are removed from thei old securty group).

Anonymous
Not applicable

Thanks! I don't think our client users are set up in AD groups right now but I will double check. Either way it is good to know. This is the first time I have tried to use RLS so I'm still learning.

 

Thanks again!

Helpful resources

Announcements
April AMA free

Microsoft Fabric AMA Livestream

Join us Tuesday, April 09, 9:00 – 10:00 AM PST for a live, expert-led Q&A session on all things Microsoft Fabric!

March Fabric Community Update

Fabric Community Update - March 2024

Find out what's new and trending in the Fabric Community.