cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
Highlighted
Helper II
Helper II

Dynamic Row Level Security

Hi

 

I am looking for some advise on how to best address RLS on hierarchy or organisation, the key focus or relationship across my tables is based on a persons full name; First & Last Name.  So I managed to setup simple form of RLS based around this criteria, I have a manager who then has staff.  I used the example from RAZRAD; which uses 'PATHCONTAINS()' and is based on using 'UserPrincipalName()', and this works fine.  E.g. if 'John' logon he can see his records plus anyone managed by him and so on, and likewise if 'Sharon' logins in, she can only see her projects.  But if I need the director to login, or someone who needs to view all the data, they do not see any projects as they are not directly related to any projects in any tables, even though they manage the whole organisation, there is no key relationship with their details on my table(s).

 

1. Now, do I need to rethink my model, the users are linked to records by their names, not an ID. Not everyone who wants to see the data is actually on the table, projects are not separted by department they are seprated or identified by the staff working on that project(s), and ideally there needs to be some form of cross-over.

 

2. Or, do I create a seperate report, one that has no RLS in the model and is viewable by those staff I permit or grant access to see it, or am I creating extra and duplicated work?

 

Many thanks

Chris Carpenter

Finance & Contracts Information Analyst

 

 

2 ACCEPTED SOLUTIONS

Accepted Solutions
Highlighted
Super User I
Super User I

Re: Dynamic Row Level Security

Hi Chris,

 

If giving "global" access to some specific users, the easiest way is to just add a new role within Desktop.

Create a new group and do not set any filter on the tables.

the next step will be to assignt your directors (or Director AD group) to that group in PBI service. 

 

RLS.png

 

View solution in original post

Highlighted
Super User I
Super User I

Re: Dynamic Row Level Security

Hi Chris,

 

These 2 settings are seperate things.

You can add anyone to the RLS rules without impacting the actual rights to the report/workspace.

But giving access to a report to users that dont have rights according to the RLS rules, will just see a blank report. 

 

Robbe

 

View solution in original post

5 REPLIES 5
Highlighted
Super User I
Super User I

Re: Dynamic Row Level Security

Hi Chris,

 

If giving "global" access to some specific users, the easiest way is to just add a new role within Desktop.

Create a new group and do not set any filter on the tables.

the next step will be to assignt your directors (or Director AD group) to that group in PBI service. 

 

RLS.png

 

View solution in original post

Highlighted
Helper II
Helper II

Re: Dynamic Row Level Security

RobbeVL

 

Fantastic, so simple and it works a treat, thanks again.

 

Also, any thoughts on the significance of the 'Access' option when in PowerBI Service area?  Screen print below, I am the admin and on this occasion I just added a random user.  I does not seem to have any impact when I add a user or not, it deos not seem to take in to accouinty any setting I push through when using RLS.

 

Chris

 

 

access.PNG

Chris

Highlighted
Super User I
Super User I

Re: Dynamic Row Level Security

Hi Chris,

 

These 2 settings are seperate things.

You can add anyone to the RLS rules without impacting the actual rights to the report/workspace.

But giving access to a report to users that dont have rights according to the RLS rules, will just see a blank report. 

 

Robbe

 

View solution in original post

Highlighted
Frequent Visitor

Re: Dynamic Row Level Security

Hi All,

 

I am having security table SECURITY_DYN_AP and it contains GlobalID(userid) , profile, level1,level2,level3,level4,level5,level6,level7,sourcesystemregion,customername and globalcustomer

Currently we have applied row level security for GlobalID column in SECURITY_DYN_AP table by checking against loggedinuser using USERPRINCIPALNAME(). However I am also having transaction table CV_POWERBI_DAILY_SALES_VS_PLAN with columns Level1 to Level7 and the measures where in I need to filter out the data based on the LEVEL1 to Level7 values in the SECURITY_DYN_AP table. Also there is intermediary table called KY in which we have the concatenated value of Sourcesystemregion+level1 to level7+ Customer Name +globalcustomer. The transaction table is linked to KY table on KY column and this KY table is linked to SECURITY_DYN_AP table on KY column 

Please help me how can i achieve the filtering of transaction table data using row level security based on the values for LEvel 1 to Level7

 

Regards

Arun

 

Highlighted
Helper II
Helper II

Re: Dynamic Row Level Security

Hi Arun

 

Are you able to post a sample data?

 

The key I found that worked for me was to create the relationship bwteen the tables, so in my example I had to use staff names as this was the key field to match who should look at what, which I ten mathced to a username in a separte table for example using he USERNAME().  If that person logged in then they would only seeany data with their name assigned to it, but it also allowed a manger to view all his staff as I created a hierarchy list. 

 

Have you seen these example? these are what I used to get my scenario to work.

 

https://radacad.com/row-level-security-configuration-in-power-bi-desktop - these are the examples I used and I even bought Kindle book he sells. And alos take a look at this - 

https://radacad.com/dynamic-row-level-security-in-power-bi-with-organizational-hierarchy-and-multipl...

 

Two more links, I have not tried these but they may be of use:

https://www.blue-granite.com/blog/using-dynamic-row-level-security-with-organizational-hierarchies?h...

https://blog.crossjoin.co.uk/2013/05/10/userelationship-and-tabular-row-security/

 

chris

Helpful resources

Announcements
August 2020 Community Challenge: Can You Solve These?

August 2020 Community Challenge: Can You Solve These?

We're excited to announce our first cross-community 'Can You Solve These?' challenge!

Super Users of the Quarter - Q2 2020

Super Users of the Quarter - Q2 2020

Who are our Super User Superstars? Who made it to the top of the leaderboards? Get the answers!

Community Blog

Community Blog

Visit our Community Blog for articles, guides, and information created by fellow community members.

Community Summit Australia – Join Online!

Community Summit Australia – Join Online!

Be a part of the leading Microsoft Business Applications digital event, curated for the APAC community.