cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
Nory
New Member

Row Level Security when you have AD Groups

Hello Everyone,

 

I want to filter my report based on the user, each user have his own shop an can see its own data.

But there are thousands of users, and some users are able to see all Shop's data.

That's why there are AD GROUPS: let's say shop directors belongs to the A-group and the people from the siege of the company belongs to the B-group in the AD and can see everything.

Now I want to just add both groups in the security report in the portal.

But I want that each director still only see his own shop's data.

Do you know how I can do that ?

 

Nory_0-1663351022851.png

 

1 ACCEPTED SOLUTION
josef78
Super User
Super User

Generaly, AD groups (and users) you can use for assign report permission or report role. But for RLS rules you need work with AD users (using userprincipalname), not with AD groups.

 

In your case you have two options:

1) access control based on your existing AD groups (recommended), in this case you need create two RLS roles:

-first like "SeeEverything", without and RLS rules. To this role assign your AD B-group.

-second like "ShopDirectors", with RLS rule (you will need table with USER and SHOP collumn for shop directors, with RLS rule). And to this role assign your AD A-group

 

2) Without AD group dependency, create RLS role with RLS rule with table with USER and SHOP collumns for all users (from A or B group). To this role assign both A-group and B-group and maybe also Everyone (no matter, because access will be driven by RLS rule).

View solution in original post

3 REPLIES 3
josef78
Super User
Super User

Generaly, AD groups (and users) you can use for assign report permission or report role. But for RLS rules you need work with AD users (using userprincipalname), not with AD groups.

 

In your case you have two options:

1) access control based on your existing AD groups (recommended), in this case you need create two RLS roles:

-first like "SeeEverything", without and RLS rules. To this role assign your AD B-group.

-second like "ShopDirectors", with RLS rule (you will need table with USER and SHOP collumn for shop directors, with RLS rule). And to this role assign your AD A-group

 

2) Without AD group dependency, create RLS role with RLS rule with table with USER and SHOP collumns for all users (from A or B group). To this role assign both A-group and B-group and maybe also Everyone (no matter, because access will be driven by RLS rule).

v-luwang-msft
Community Support
Community Support

HI @Nory ,

In my opinion ,what you need is Dynamic Row Level Security with Hierarchy .For Dynamic Row Level Security with Hierarchy case, you may refer to these blog:

https://radacad.com/dynamic-row-level-security-with-organizational-hierarchy-power-bi

https://radacad.com/dynamic-row-level-security-in-power-bi-with-organizational-hierarchy-and-multipl...

https://www.blue-granite.com/blog/using-dynamic-row-level-security-with-organizational-hierarchies

 

Please understand that these links are provided “AS IS” with no warranties or guarantees of content changes, and confers no rights.

 

 

Best Regards

Lucien

Shahfaisal
Solution Sage
Solution Sage

Row level security is setup in the model and for this to work, you will need to have a table that has all the users and the shop they belong to.  Once you setup row level security, you can use AD groups in the portal to give users access to the report. https://learn.microsoft.com/en-us/power-bi/enterprise/service-admin-rls

To summarize, there are two different concepts - row level security is setup in the model; once the model/report is published, you can use AD groups to setup security so you can control who can access the report.

 

Helpful resources

Announcements
November 2022 Update

Check it Out!

Click here to read more about the November 2022 updates!

Difinity Conference

Difinity Conference 2022

Difinity is the largest Microsoft Data, AI, Power BI, Power Platform and Business Applications Conference in New Zealand.

European Share Point Conference

European Share Point Conference

This conference returns live and in-person in Copenhagen this 28 November-01 December with 4 Microsoft Keynotes, 9 Tutorials, and 120 Sessions.

Microsoft 365 Conference â__ December 6-8, 2022

Microsoft 365 Conference - 06-08 December

Join us in Las Vegas to experience community, incredible learning opportunities, and connections that will help grow skills, know-how, and more.