cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
Nory
New Member

Row Level Security when you have AD Groups

Hello Everyone,

 

I want to filter my report based on the user, each user have his own shop an can see its own data.

But there are thousands of users, and some users are able to see all Shop's data.

That's why there are AD GROUPS: let's say shop directors belongs to the A-group and the people from the siege of the company belongs to the B-group in the AD and can see everything.

Now I want to just add both groups in the security report in the portal.

But I want that each director still only see his own shop's data.

Do you know how I can do that ?

 

Nory_0-1663351022851.png

 

1 ACCEPTED SOLUTION
josef78
Super User
Super User

Generaly, AD groups (and users) you can use for assign report permission or report role. But for RLS rules you need work with AD users (using userprincipalname), not with AD groups.

 

In your case you have two options:

1) access control based on your existing AD groups (recommended), in this case you need create two RLS roles:

-first like "SeeEverything", without and RLS rules. To this role assign your AD B-group.

-second like "ShopDirectors", with RLS rule (you will need table with USER and SHOP collumn for shop directors, with RLS rule). And to this role assign your AD A-group

 

2) Without AD group dependency, create RLS role with RLS rule with table with USER and SHOP collumns for all users (from A or B group). To this role assign both A-group and B-group and maybe also Everyone (no matter, because access will be driven by RLS rule).

View solution in original post

3 REPLIES 3
josef78
Super User
Super User

Generaly, AD groups (and users) you can use for assign report permission or report role. But for RLS rules you need work with AD users (using userprincipalname), not with AD groups.

 

In your case you have two options:

1) access control based on your existing AD groups (recommended), in this case you need create two RLS roles:

-first like "SeeEverything", without and RLS rules. To this role assign your AD B-group.

-second like "ShopDirectors", with RLS rule (you will need table with USER and SHOP collumn for shop directors, with RLS rule). And to this role assign your AD A-group

 

2) Without AD group dependency, create RLS role with RLS rule with table with USER and SHOP collumns for all users (from A or B group). To this role assign both A-group and B-group and maybe also Everyone (no matter, because access will be driven by RLS rule).

v-luwang-msft
Community Support
Community Support

HI @Nory ,

In my opinion ,what you need is Dynamic Row Level Security with Hierarchy .For Dynamic Row Level Security with Hierarchy case, you may refer to these blog:

https://radacad.com/dynamic-row-level-security-with-organizational-hierarchy-power-bi

https://radacad.com/dynamic-row-level-security-in-power-bi-with-organizational-hierarchy-and-multipl...

https://www.blue-granite.com/blog/using-dynamic-row-level-security-with-organizational-hierarchies

 

Please understand that these links are provided “AS IS” with no warranties or guarantees of content changes, and confers no rights.

 

 

Best Regards

Lucien

Shahfaisal
Solution Sage
Solution Sage

Row level security is setup in the model and for this to work, you will need to have a table that has all the users and the shop they belong to.  Once you setup row level security, you can use AD groups in the portal to give users access to the report. https://learn.microsoft.com/en-us/power-bi/enterprise/service-admin-rls

To summarize, there are two different concepts - row level security is setup in the model; once the model/report is published, you can use AD groups to setup security so you can control who can access the report.

 

Helpful resources

Announcements
Carousel_PBI_Wave1

2023 Release Wave 1 Plans

Power BI release plans for 2023 release wave 1 describes all new features releasing from April 2023 through September 2023.

Power BI Summit Carousel 2

Global Power BI Training

Make sure you register today for the Power BI Summit 2023. Don't miss all of the great sessions and speakers!

Thank you 2022 Review

2022 Monthly Feature Releases

We had a great 2022 with a ton of feature releases to help you drive a data culture.