Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Register now to learn Fabric in free live sessions led by the best Microsoft experts. From Apr 16 to May 9, in English and Spanish.

Reply
OneWithQuestion
Post Prodigy
Post Prodigy

RLS: how can I enforce RLS for report creators? Can I do RLS inside the data source?

‎08-28-2020 06:46 AM

I have several common data sources that various report creators want to access.

However, we have to restrict access based off the security of who is accessing the data.

In PBI and SSAS Tabular this normally works fine as I will build the data models, use RLS inside the datamodel and let the user consume that.

However, we have users who would like to use multiple datasets or sources in a single report.

Example:  We have data that needs RLS protection on our SQL server and we want to also access three or four other data sources (SPO, Excel, etc...) that do NOT need RLS.

How can I enfore RLS on one or two data sources, but allow report creators to build their own reports adding other data sources as they desire?

Labels:
Message 1 of 5
965 Views
0
3 ACCEPTED SOLUTIONS
lbendlin
Super User
Super User

‎08-28-2020 04:38 PM

Clarify what you mean by Report Creators.  Also please specify which SKU you are on.

 

Notes: 

RLS does not work in a workspace. Anyone with access to the workspace can see all the data.  One of the many reasons to restrict access to workspaces as much as possible.

RLS works as expected in apps. It also works in reports created off the apps, and in the "Analyze in Excel"  files that connect to the dataset.

 

View solution in original post

Message 2 of 5
930 Views
edhans
Super User
Super User

‎08-28-2020 05:21 PM

@OneWithQuestion 
RLS is on the model, not a data source. But when you are setting up RLS, if you only set it up on some fields that are in some tables, then only those fields/tables will be affected.

 

But if your users are report creators and using Power BI Desktop, they can see everything. That is where you set up the RLS conditions, then you set up the RLS Security in the service. So you cannot restrict data in Power BI Desktop unless it is restricted at your source - SQL Server or SSAS before the data gets to Power BI Desktop.

 

However, if you do that, then I am not certian how any additional RLS could be done. For example,

  • Report Writer A has permissions to see Sales Regions A, B, and C, but not D, E and F. 
  • Report Viewer B has permissions to see region F
  • How would Report Writer A be able to see and test to write RLS to limit region F to Viewer B if they cannot even see F?

Typically report writers see all data. I am not saying it cannot be done, but it really becomes more of a data management issue at the source, not within Power BI.

 

Is that your question?



Did I answer your question? Mark my post as a solution!
Did my answers help arrive at a solution? Give it a kudos by clicking the Thumbs Up!

DAX is for Analysis. Power Query is for Data Modeling


Proud to be a Super User!

MCSA: BI Reporting

View solution in original post

Message 3 of 5
926 Views
edhans
Super User
Super User
In response to OneWithQuestion

‎08-31-2020 08:35 AM

Yes. Creating a report based on multiple datasets is coming but not sure when, and I wouldn't be surprised if additional features like RLS, Incremental Refresh, etc. wouldn't be available day one. Could be, but that is a lot to launch right out of the gate.



Did I answer your question? Mark my post as a solution!
Did my answers help arrive at a solution? Give it a kudos by clicking the Thumbs Up!

DAX is for Analysis. Power Query is for Data Modeling


Proud to be a Super User!

MCSA: BI Reporting

View solution in original post

Message 5 of 5
872 Views
4 REPLIES 4
edhans
Super User
Super User

‎08-28-2020 05:21 PM

@OneWithQuestion 
RLS is on the model, not a data source. But when you are setting up RLS, if you only set it up on some fields that are in some tables, then only those fields/tables will be affected.

 

But if your users are report creators and using Power BI Desktop, they can see everything. That is where you set up the RLS conditions, then you set up the RLS Security in the service. So you cannot restrict data in Power BI Desktop unless it is restricted at your source - SQL Server or SSAS before the data gets to Power BI Desktop.

 

However, if you do that, then I am not certian how any additional RLS could be done. For example,

  • Report Writer A has permissions to see Sales Regions A, B, and C, but not D, E and F. 
  • Report Viewer B has permissions to see region F
  • How would Report Writer A be able to see and test to write RLS to limit region F to Viewer B if they cannot even see F?

Typically report writers see all data. I am not saying it cannot be done, but it really becomes more of a data management issue at the source, not within Power BI.

 

Is that your question?



Did I answer your question? Mark my post as a solution!
Did my answers help arrive at a solution? Give it a kudos by clicking the Thumbs Up!

DAX is for Analysis. Power Query is for Data Modeling


Proud to be a Super User!

MCSA: BI Reporting
Message 3 of 5
927 Views
OneWithQuestion
Post Prodigy
Post Prodigy
In response to edhans

‎08-31-2020 06:45 AM

Thank you to both replies, and yes I was not articulating my thoughts well.  I realized I was confused about the details in general.


I wanted to create a data source that report creators (Power BI Pro users, we don't have Premium) could consume and then add additional data sources to their PBI data model.

However, for RLS to work it has to be handled inside the data source itself or via PBI RLS in a dataset.

At present, PBI does not support multiple datasets in a single PBI desktop report, so I can't define RLS in a shared dataset.

Message 4 of 5
889 Views
0
edhans
Super User
Super User
In response to OneWithQuestion

‎08-31-2020 08:35 AM

Yes. Creating a report based on multiple datasets is coming but not sure when, and I wouldn't be surprised if additional features like RLS, Incremental Refresh, etc. wouldn't be available day one. Could be, but that is a lot to launch right out of the gate.



Did I answer your question? Mark my post as a solution!
Did my answers help arrive at a solution? Give it a kudos by clicking the Thumbs Up!

DAX is for Analysis. Power Query is for Data Modeling


Proud to be a Super User!

MCSA: BI Reporting
Message 5 of 5
873 Views
lbendlin
Super User
Super User

‎08-28-2020 04:38 PM

Clarify what you mean by Report Creators.  Also please specify which SKU you are on.

 

Notes: 

RLS does not work in a workspace. Anyone with access to the workspace can see all the data.  One of the many reasons to restrict access to workspaces as much as possible.

RLS works as expected in apps. It also works in reports created off the apps, and in the "Analyze in Excel"  files that connect to the dataset.

 

Message 2 of 5
931 Views

Helpful resources

Announcements
Microsoft Fabric Learn Together

Microsoft Fabric Learn Together

Covering the world! 9:00-10:30 AM Sydney, 4:00-5:30 PM CET (Paris/Berlin), 7:00-8:30 PM Mexico City

PBI_APRIL_CAROUSEL1

Power BI Monthly Update - April 2024

Check out the April 2024 Power BI update to learn about new features.

April Fabric Community Update

Fabric Community Update - April 2024

Find out what's new and trending in the Fabric Community.

View All
Top Solution Authors
View All
Top Kudoed Authors
View All