Skip to main content
cancel
Showing results for 
Search instead for 
Did you mean: 

Earn the coveted Fabric Analytics Engineer certification. 100% off your exam for a limited time only!

Reply
Nory
Regular Visitor

Row Level Security when you have AD Groups

Hello Everyone,

 

I want to filter my report based on the user, each user have his own shop an can see its own data.

But there are thousands of users, and some users are able to see all Shop's data.

That's why there are AD GROUPS: let's say shop directors belongs to the A-group and the people from the siege of the company belongs to the B-group in the AD and can see everything.

Now I want to just add both groups in the security report in the portal.

But I want that each director still only see his own shop's data.

Do you know how I can do that ?

 

Nory_0-1663351022851.png

 

1 ACCEPTED SOLUTION
josef78
Memorable Member
Memorable Member

Generaly, AD groups (and users) you can use for assign report permission or report role. But for RLS rules you need work with AD users (using userprincipalname), not with AD groups.

 

In your case you have two options:

1) access control based on your existing AD groups (recommended), in this case you need create two RLS roles:

-first like "SeeEverything", without and RLS rules. To this role assign your AD B-group.

-second like "ShopDirectors", with RLS rule (you will need table with USER and SHOP collumn for shop directors, with RLS rule). And to this role assign your AD A-group

 

2) Without AD group dependency, create RLS role with RLS rule with table with USER and SHOP collumns for all users (from A or B group). To this role assign both A-group and B-group and maybe also Everyone (no matter, because access will be driven by RLS rule).

View solution in original post

3 REPLIES 3
josef78
Memorable Member
Memorable Member

Generaly, AD groups (and users) you can use for assign report permission or report role. But for RLS rules you need work with AD users (using userprincipalname), not with AD groups.

 

In your case you have two options:

1) access control based on your existing AD groups (recommended), in this case you need create two RLS roles:

-first like "SeeEverything", without and RLS rules. To this role assign your AD B-group.

-second like "ShopDirectors", with RLS rule (you will need table with USER and SHOP collumn for shop directors, with RLS rule). And to this role assign your AD A-group

 

2) Without AD group dependency, create RLS role with RLS rule with table with USER and SHOP collumns for all users (from A or B group). To this role assign both A-group and B-group and maybe also Everyone (no matter, because access will be driven by RLS rule).

v-luwang-msft
Community Support
Community Support

HI @Nory ,

In my opinion ,what you need is Dynamic Row Level Security with Hierarchy .For Dynamic Row Level Security with Hierarchy case, you may refer to these blog:

https://radacad.com/dynamic-row-level-security-with-organizational-hierarchy-power-bi

https://radacad.com/dynamic-row-level-security-in-power-bi-with-organizational-hierarchy-and-multipl...

https://www.blue-granite.com/blog/using-dynamic-row-level-security-with-organizational-hierarchies

 

Please understand that these links are provided “AS IS” with no warranties or guarantees of content changes, and confers no rights.

 

 

Best Regards

Lucien

Shahfaisal
Solution Sage
Solution Sage

Row level security is setup in the model and for this to work, you will need to have a table that has all the users and the shop they belong to.  Once you setup row level security, you can use AD groups in the portal to give users access to the report. https://learn.microsoft.com/en-us/power-bi/enterprise/service-admin-rls

To summarize, there are two different concepts - row level security is setup in the model; once the model/report is published, you can use AD groups to setup security so you can control who can access the report.

 

Helpful resources

Announcements
April AMA free

Microsoft Fabric AMA Livestream

Join us Tuesday, April 09, 9:00 – 10:00 AM PST for a live, expert-led Q&A session on all things Microsoft Fabric!

March Fabric Community Update

Fabric Community Update - March 2024

Find out what's new and trending in the Fabric Community.