Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Register now to learn Fabric in free live sessions led by the best Microsoft experts. From Apr 16 to May 9, in English and Spanish.

Reply
gemgorey
Advocate I
Advocate I

App audiences and OLS permissions

‎01-18-2023 08:34 AM

Hi all! Hoping someone on here can offer some advice.

 

I have a "golden dataset" which holds all my company information.  On that master dataset I have OLS on some tables and columns that I don't want to be viewed by everyone.  I have then several chained datasets that use direct Query from the master, and they only import the tables that they need. (As an aside, I wasn't aware that this feature was a thing - I had read said that in order to choose the tables for the report, it needed to be a composite model, but it did let me select the relevant tables.) I can't implement RLS on these chained datasets, but everything I have read leads me to believe that end users should still be limited by the RLS on the original dataset.

 

I have distributed the content to an overall company app, with multiple audiences.  A user of the group who shuldn't be able to see anything, can still see the schema of all of the other datasets which are stored in the app if they go to the datasets view.  I have stored all reports in the same workspace as I wanted it all in one app rather than having several apps.  They can't access the data and nothing is clickable, but I don't really want them to see the table names etc.

 

Is there a way around this? 

 

Thanks!

Labels:
Message 1 of 5
415 Views
0
4 REPLIES 4
Tutu_in_YYC
Resident Rockstar
Resident Rockstar

‎01-18-2023 12:27 PM

Is the user that can see all the data ( but not supposed to), is a part of the workspace with a role that is not Viewer?

And you mentioned OLS and RLS? Are both implemented in the dataset? 

Message 2 of 5
377 Views
0
gemgorey
Advocate I
Advocate I
In response to Tutu_in_YYC

‎01-18-2023 02:41 PM

Hi and thanks for your reply,

 

I dont have anyone in the workspaces other than myself.  I have been trying to implement things as much as I can with the reccomendations from microsoft with data being distributed through the new app audiences.  So my people are not members of any of the workspaces, they have build access to the golden dataset, (which I believe they need) and read access to the chained dataset granted through the app only.  I have OLS rules set in tabular editor which are assigned to the roles set up in the golden dataset.  These people are assigned in the security options in the golden dataset. I haven't got any RLS set up at the minute but I will need that soon, (I believe there is a workaround to get both to work together) I said RLS by mistake as service only seems to refer to RLS, but my roles are OLS.

 

So that's my setup at the minute.  The person can't get at any data but for business reasons I'd rather them not be able to see the schema and names of measures etc.

 

I will add that I am new to PBI and although I am trying to absorb as much info as possible from forms and tutorials - it is likely that I have missed something obvious!

 

Thanks 🙂

 

 

Message 3 of 5
367 Views
0
Tutu_in_YYC
Resident Rockstar
Resident Rockstar
In response to gemgorey

‎01-19-2023 08:00 AM

Based on my experiment a few months ago (also validated by other users in this forum),  you cant implement OLS and RLS both in the same dataset. 

You may already seen this, but this is a good overview blog on both OLS and RLS. I have not tried OLS on chained dataset, but I will give it a try when i have the chance. 
 

Message 4 of 5
356 Views
gemgorey
Advocate I
Advocate I
In response to Tutu_in_YYC

‎01-19-2023 08:18 AM

Thanks for that and the info!  Yes I have read that they can't be used togeher but I read about (but not tried) a workaround where you create groups with every permutation of the permissions - e.g. group 1 OLS with group 1 RLS, group 1 OLS with group 2 RLS etc... Sounds a bit long winded but hopefully implementable.

 

I have done a bit more testing today and found the following...

 

The person that could see the schemas of all the datasets was someone I inadvertantly added to the wrong audience in the app whilst testing.  When I have looked at the permissions in the dataset it shows that she now has read access to the datasets that she had access to in the higher group, even though I have now placed her in a different audience straight away.  So this means if we downgrade or change an audience we will need to ensure that the dataset permissions are removed for reports they shouldn't have, following a change of audience.

 

No-one else (who I added to the correct audiences) can see any dataset that they aren't meant to, even though these are stored in the same workspace - which is good - but they can still see columns that should be restricted to them with their OLS permissions.  They can't click on anything though.

 

I would just prefer if they couldn't see that column title thats all!  Does anyone have any ideas?

 

 

Message 5 of 5
351 Views

Helpful resources

Announcements
Microsoft Fabric Learn Together

Microsoft Fabric Learn Together

Covering the world! 9:00-10:30 AM Sydney, 4:00-5:30 PM CET (Paris/Berlin), 7:00-8:30 PM Mexico City

PBI_APRIL_CAROUSEL1

Power BI Monthly Update - April 2024

Check out the April 2024 Power BI update to learn about new features.

April Fabric Community Update

Fabric Community Update - April 2024

Find out what's new and trending in the Fabric Community.

View All
Top Solution Authors
View All
Top Kudoed Authors
View All