Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Register now to learn Fabric in free live sessions led by the best Microsoft experts. From Apr 16 to May 9, in English and Spanish.

Reply
Pbi07
Helper V
Helper V

RLS with org hierarchy

‎05-30-2020 08:12 PM

Hello 

 

I need to develop a dynamic security set up for the data model being built and needed some help. 
My model has a shipment table with managers responsible. These managers have superiors as SVP’s and their superiors as Presidents. Shipments data will have the Manager or SVP's tied to shipment lines. But will not have the President’s ID’s.

The ask is to have the report be viewed by only the Managers or superiors who are part of the hierarchy.

President P1 - Can view all the data under his line of business. There are 4 president's who can view all the data. 
SVP1 - SHould view details of shipments of all managers under his Group. 

Managers can view only the data they are tied to in the shipments. 

I was looking at the below link , but in my scenario i could have multiple Level 1's, so the path gets distorted. 

https://radacad.com/dynamic-row-level-security-with-organizational-hierarchy-power-bi

 

Attaching the sample data that i am working with. 

I have this hierarchy in a table -USers_hier.

Can RLS be applied if the user is not part of the shipments data?

 

https://drive.google.com/file/d/14GfMN15z7irifqC9WqibZbySpWD-vGkd/view?usp=sharing

 

Labels:
Message 1 of 6
1,168 Views
0
1 ACCEPTED SOLUTION
amitchandak
Super User
Super User
In response to Pbi07

‎06-01-2020 08:00 PM

@Pbi07 , if their reportees is part of if they should get access to it.

I think the MBAS Gallary video they have even shown how to bypass it for a certain user. Saw it long back so not sure now.  Even you can have a fact where you do no apply RLS and give access to the executive from that

 

https://community.powerbi.com/t5/MBAS-Gallery/Microsoft-Power-BI-Unleash-row-level-security-patterns...



View solution in original post

Message 4 of 6
1,075 Views
5 REPLIES 5
Yogesh_Telasang
New Member

‎09-18-2020 12:06 PM

Hi,

 

In this case you'll have to create 2 roles;

 

Role 1 - for managers/SVPs whose details are available in the shipment data. You can use pathcontains and username/userprincipalname to validate the user. Add managers and SVPs to this group in the RLS of dataset.

 

Role 2 - for Presidents whose details are unavilable in the shipment data. Just create a role without using security filter functions and add presidents to this group similarly.

 

This way Presidents have access to view all the data and managers/SVPs have access to view the data that they are entitled to.

Message 6 of 6
1,038 Views
0
v-xicai
Community Support
Community Support

‎06-01-2020 02:19 AM

Hi @Pbi07 ,

 

You may set Row-Level Security (RLS) to manage roles,  please see the link Power BI Desktop Dynamic security cheat sheet, which described the detailed steps. Maybe it doesn't work, there are some tips to let it work and test it efficiently.

 

Best Regards,

Amy 

 

Community Support Team _ Amy

If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

Message 5 of 6
1,095 Views
0
Pbi07
Helper V
Helper V
In response to amitchandak

‎06-01-2020 03:02 PM

Thanks @amitchandak 

 

These are good reads on RLS. 

I wanted to clarify 1 point. 

If there are users - Mainly executives who are not part of the FACT data and if they need access to all the reporting, what is the usual practice?  Is it better to NOT to add them to any roles? 

I liked the dynamic approach narrated by Reza here - https://radacad.com/dynamic-row-level-security-with-organizational-hierarchy-power-bi.  But, it kind of breaks if there are multiple managers for a user.  

 

Message 3 of 6
1,085 Views
0
amitchandak
Super User
Super User
In response to Pbi07

‎06-01-2020 08:00 PM

@Pbi07 , if their reportees is part of if they should get access to it.

I think the MBAS Gallary video they have even shown how to bypass it for a certain user. Saw it long back so not sure now.  Even you can have a fact where you do no apply RLS and give access to the executive from that

 

https://community.powerbi.com/t5/MBAS-Gallery/Microsoft-Power-BI-Unleash-row-level-security-patterns...



Message 4 of 6
1,076 Views

Helpful resources

Announcements
Microsoft Fabric Learn Together

Microsoft Fabric Learn Together

Covering the world! 9:00-10:30 AM Sydney, 4:00-5:30 PM CET (Paris/Berlin), 7:00-8:30 PM Mexico City

PBI_APRIL_CAROUSEL1

Power BI Monthly Update - April 2024

Check out the April 2024 Power BI update to learn about new features.

April Fabric Community Update

Fabric Community Update - April 2024

Find out what's new and trending in the Fabric Community.

View All