Earn the coveted Fabric Analytics Engineer certification. 100% off your exam for a limited time only!
Hello everyone,
I am trying to implement a basic RLS configuration on a report that my company shares with a client. Everyone on the client side can view the report with one exception. They have one contract user who should only be allowed to see a certain subset of the data.
So, I created a group in PBI Desktop for this user with the proper filters. When I test it using "view as role" it works perfectly. Once published to the Service I added the contract user to that group and tested it again. No problems there. The error comes when one of the other client users (who should have full access) tries to view the report. They get an error message saying "This visual contains restricted data" on each visual. When I run a test for one of these users in the Service I can see this error as well.
Any ideas on what I am doing wrong? My goal is to have everyone access the report as they did before, with the exception of the contract user who is assigned to a group that filters their data.
Thanks!
Solved! Go to Solution.
Hello @Anonymous
Once you apply RLS to a model it applies to all users so what you need is a role with no filters then you add all the other users to that unrestricted role.
Hello @Anonymous
Once you apply RLS to a model it applies to all users so what you need is a role with no filters then you add all the other users to that unrestricted role.
Ah ok. I thought it might be something like that. I was hoping to avoid having to manually add everyone else to a different group. I'm trying to wrap my head around dynamic RLS to see if that is an option, but I'm not sure that it makes sense in this case.
Anyway, thank you for the quick response!
One thing you can do is use active directory security groups to help with managing access. If your network admins maintain security group by department lets say, you can share the report with the 'Accounting' security group and assign the 'Accounting' security group to the unrestricted role. When a new person is hired, if they are added into the 'Accounting' security group, the report will already be shared with them and the RLS will be applied. The same will work if a person in the company changes from one security group to another (assuming they are removed from thei old securty group).
Thanks! I don't think our client users are set up in AD groups right now but I will double check. Either way it is good to know. This is the first time I have tried to use RLS so I'm still learning.
Thanks again!
User | Count |
---|---|
140 | |
113 | |
104 | |
77 | |
65 |
User | Count |
---|---|
136 | |
117 | |
101 | |
71 | |
61 |