Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Register now to learn Fabric in free live sessions led by the best Microsoft experts. From Apr 16 to May 9, in English and Spanish.

Reply
pade
Advocate III
Advocate III

Restricting access to singel table using RLS

‎11-03-2018 01:44 AM

I guess I already know the answer, but it doesn’t hurt asking

 

I have a dataset where I'm currently not using RLS. Now I got one new table in the dataset containing information that shall only bee seen by a restricted group of users. This new table can either be seen as a new table, or as a column in already existing table, think of this as e.g. a private phone number

 

When I first implemented RLS by adding a role (SecureTableAccess), and published it to the Power BI Service, the complete report becomes blank/restricted, not for me, but for all other users. Please not that I just added the role, and not even added any filter conditions to any table

Ok... To make sure the group of users that shall see the restricted information can see the information, I need to add those users to the role in the Power BI Service using the Security settings on the dataset in the Power BI Service. Doing so, the privileged users now can see the report. But the other users still can't see the report.

To finalize securing the restricted table, I now created a RLS filter on the restricted table and republished the report. The privileged users now still can see the report, but the other users still can't.

 

How do I make sure other users can see what they did see before?

What I did was to add a "BasicUser" role to the dataset and added all other users to that role.

As this report is shared as a Power BI App to an already restricted group of users, it feels kind of odd to add all these users a second time, just to restrict part of the data to a smaller group of users, but I also understand that there might be reasons for this as well

 

Finally my question. Was what I did correct. Do I always need to add a basic user role and add all users to that role as soon as I add any role to the dataset, or is there any other pattern that can be used

 

Also, Viewing the dataset using the Power BI Desktop and using "View as Role", if I there choose "None", I still will see everything. My expectation was that choosing "None", I would see the same as users not assigned to any role in the Power BI Service. But that was not the case, and this missleaded me. The consequence of this was that the report was not visable for some time for "regular" users. Also, Using the Power BI Desktop "View as Role" feature and giving an arbitrary username like foo@bar.com still shows the unrestricted data, something that is not the case when the user foo@bar.com tries to access the report in the Power BI Service. All this might be a missunderstanding from my side of how roles is intended to work, or a glitch in how Microsoft wants to implement the RLS testing features

Labels:
Message 1 of 2
1,834 Views
0
1 ACCEPTED SOLUTION
v-yuta-msft
Community Support
Community Support

‎11-05-2018 12:13 AM

Hi pade,

 

"Finally my question. Was what I did correct. Do I always need to add a basic user role and add all users to that role as soon as I add any role to the dataset, or is there any other pattern that can be used"

 

<--- Yes, you need to assigned members' account to the role so that the members can view contents included by the role, in addtion, if your group has large amount of such member account, I would recommend you to set row level security instead of manually assign members to roles.

 

Regards,

Jimmy Tao

View solution in original post

Message 2 of 2
1,802 Views
0
1 REPLY 1
v-yuta-msft
Community Support
Community Support

‎11-05-2018 12:13 AM

Hi pade,

 

"Finally my question. Was what I did correct. Do I always need to add a basic user role and add all users to that role as soon as I add any role to the dataset, or is there any other pattern that can be used"

 

<--- Yes, you need to assigned members' account to the role so that the members can view contents included by the role, in addtion, if your group has large amount of such member account, I would recommend you to set row level security instead of manually assign members to roles.

 

Regards,

Jimmy Tao

Message 2 of 2
1,803 Views
0

Helpful resources

Announcements
Microsoft Fabric Learn Together

Microsoft Fabric Learn Together

Covering the world! 9:00-10:30 AM Sydney, 4:00-5:30 PM CET (Paris/Berlin), 7:00-8:30 PM Mexico City

PBI_APRIL_CAROUSEL1

Power BI Monthly Update - April 2024

Check out the April 2024 Power BI update to learn about new features.

April Fabric Community Update

Fabric Community Update - April 2024

Find out what's new and trending in the Fabric Community.

View All