cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
Highlighted
SamTrexler Member
Member

Groups for access versus groups for roles?

It appears that the groups used to control access to reports are not consistent with the groups used for roles in RLS. Is this correct? If so, there will be a big headache managing users and their access privileges!

 

As I understand it, after quite a bit of testing and research:

  • Power BI groups:
    • Allow you to share reports and dashboards with a user community, controlling access - works great
    • Cannot use an existing Office 365 security group, or add an Office 365 security group as a "member"
  • Roles defined for Row-Level Security:
    • Can control what data a user sees - very helpful, works fine, I just need to learn DAX better
    • Cannot add a Power BI group as a "member"

So it appears I have to set up two different groups to use these two features, and make sure I keep my users and groups synchronized manually? What a headache!

 

Does anyone have a solution for this?

 

Thanks.

1 ACCEPTED SOLUTION

Accepted Solutions
Moderator v-qiuyu-msft
Moderator

Re: Groups for access versus groups for roles?

Hi @SamTrexler,

 

1. "If I understand you correctly, the Power BI group will control access to the reports and dashboards, but has nothing to do with RLS. RLS has to be defined and managed separately, and separate groups set up for that if needed. Is that right?"

 

Yes, you are correct. Power BI group and RLS are different features, they are configured separately.

 

2. could you clarify for me your statement that "if you create a Power BI group, and set a member as group admin, the user can share the dashboard with Office 365 distribution group" (emphasis mine)? According to my security admin, "The only groups available in AD are office 365 groups, distribution, dynamic distribution, security and universal." Which type(s) of groups are you referring to with these two phrases? My testing isn't working as expected, so I need to know which types of groups work for this.

 

AS you said "If make make him an Admin of the group, he can edit the reports shared with the HelpDesk group; and", I assume the member is a admin of the Power BI group, and explain the RLS is not applied for this member in this scenario.

 

What I mentioned  "user can share the dashboard with Office 365 distribution group" is that . And I have tested in lab about add Office 365 security group as a member of RLS role and it's working.

 

Best Regards,
Qiuyun Yu

 

 

Community Support Team _ Qiuyun Yu
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.
8 REPLIES 8
Moderator v-qiuyu-msft
Moderator

Re: Groups for access versus groups for roles?

Hi @SamTrexler,

 

 

In Power BI Service, RLS is used for restricting data access for given users, while the group workspace is used for restricting group members to view or edit group content.

 

But we can use those two features at the same time. We can use RLS feature for a dataset which is stored in a Power BI group workspace. But the roles will be applied to read-only members. So in a group, we need to specify the member which added under roles only can view content like below:

 

rls-group-settings.png

 

If you have any question, please feel free to ask.

 

Best Regards,
Qiuyun Yu

 

 

Community Support Team _ Qiuyun Yu
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.
SamTrexler Member
Member

Re: Groups for access versus groups for roles?

@v-qiuyu-msft, thanks for your reply. I understand what you have described, and have tested it. But it means that I have to create two separate groups to control the users' access - one to control whether they can see and/or edit rports and dashboards, and another to control what they can see. That means I've got to set up manual procedures to make sure I keep these two groups in sync, etc. - or purchase (or write) some software to do the synchronization for me.

 

What I am looking for is a way to do this with a single group. For example, if I add james.smith to the the HelpDesk group then the following should happen:

  • James can run any report or dashboard shared with the HelpDesk group;
  • If make make him an Admin of the group, he can edit the reports shared with the HelpDesk group; and,
  • Row-Level Security will restrict which rows he can see, e.g., only those for stations that he is responsible for (unless he is an Admin, in which case he sees all rows).

As it stands now, unless I am missing something, I have to set up one kind of group (an Office365 group) to do the first two, and another kind of group (a security group) to do the last item. And that will be a big administrative headache.

 

Am I missing something? Is there a way to accomplish this? It seems ludicrous to force different groups for the different aspects of controlling access. I have submitted an "idea" to make these two areas consistent - that is, to allow either type of group to be used for both types of access. That way, I can still use two groups if I want to but I can use a single group if that makes sense, and ease the administrative work required to maintain the group and its reports and dashboards. Being able to use a single group will also limit the number of groups we need to have, which will further increase sharing of the reports and dashboards - and information.

 

But I'm hoping I have simply missed something, and someone can show me how to get this done. Is there any way to use a single group?

 

Thanks,

 

Sam

 

Moderator v-qiuyu-msft
Moderator

Re: Groups for access versus groups for roles?

Hi @SamTrexler,

 

  • James can run any report or dashboard shared with the HelpDesk group;

       Do you mean the HelpDesk group is a Office 365 group?

 

  • If make make him an Admin of the group, he can edit the reports shared with the HelpDesk group; and,

        Do you mean the group of "Admin of the group" is Power BI group or Office 365 group?

 

  • Row-Level Security will restrict which rows he can see, e.g., only those for stations that he is responsible for (unless he is an Admin, in which case he sees all rows).

         In a Power BI group, the member who can edit the report or is owner of the dataset, RLS is not applied for this user.

 

In your scenario, if you create a Power BI group, and set a member as group admin, the user can share the dashboard with Office 365 distribution group, and he can also edit dashboards, reports and datasets with the group. But at the same time, RLS settings set for datasets within this Power BI group will not applied for this user.

 

Best Regards,
Qiuyun Yu

 

 

Community Support Team _ Qiuyun Yu
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.
SamTrexler Member
Member

Re: Groups for access versus groups for roles?

@v-qiuyu-msft, thanks for the reply and confirmation. If I understand you correctly, the Power BI group will control access to the reports and dashboards, but has nothing to do with RLS. RLS has to be defined and managed separately, and separate groups set up for that if needed. Is that right?

 

Also, could you clarify for me your statement that "if you create a Power BI group, and set a member as group admin, the user can share the dashboard with Office 365 distribution group" (emphasis mine)? According to my security admin, "The only groups available in AD are office 365 groups, distribution, dynamic distribution, security and universal." Which type(s) of groups are you referring to with these two phrases? My testing isn't working as expected, so I need to know which types of groups work for this.

 

Thanks for your help.

 

Sam

Moderator v-qiuyu-msft
Moderator

Re: Groups for access versus groups for roles?

Hi @SamTrexler,

 

1. "If I understand you correctly, the Power BI group will control access to the reports and dashboards, but has nothing to do with RLS. RLS has to be defined and managed separately, and separate groups set up for that if needed. Is that right?"

 

Yes, you are correct. Power BI group and RLS are different features, they are configured separately.

 

2. could you clarify for me your statement that "if you create a Power BI group, and set a member as group admin, the user can share the dashboard with Office 365 distribution group" (emphasis mine)? According to my security admin, "The only groups available in AD are office 365 groups, distribution, dynamic distribution, security and universal." Which type(s) of groups are you referring to with these two phrases? My testing isn't working as expected, so I need to know which types of groups work for this.

 

AS you said "If make make him an Admin of the group, he can edit the reports shared with the HelpDesk group; and", I assume the member is a admin of the Power BI group, and explain the RLS is not applied for this member in this scenario.

 

What I mentioned  "user can share the dashboard with Office 365 distribution group" is that . And I have tested in lab about add Office 365 security group as a member of RLS role and it's working.

 

Best Regards,
Qiuyun Yu

 

 

Community Support Team _ Qiuyun Yu
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.
jadhav_vilas84 Regular Visitor
Regular Visitor

Re: Groups for access versus groups for roles?

Hi, 

 

I have 5 roles ,Role-1 , Role-2 , Role-3,Role-4,Role-5. 

 

On power Bi , I had added emails on particular Roles group , I have multiple user for Support , and these users have all groups access , How Can I manage all roles in Power Bi , or How Can I create Support Role group  in Power Bi desktop,

I have One  table RoleGroup 

Role_CodeRole_Name
1Role-1             
2Role-2             
3Role-3             
4Role-4             
5Role-5             

 

and In Power BI desktop I had assign Each role = [Role_Code] = "1" or other values. 

 

How Can I manage for Support Role =  [Role_Code] in ("1","2","3","4","5")

 

Please guide. 

 

tthanks 

vilas jadhav 

 

mgo Frequent Visitor
Frequent Visitor

Re: Groups for access versus groups for roles?

Hi,

 

I have created one Group on Power BI which name is powerbi_testrls which have read access only as mentioned.

I've created a rôle which name is User US which implement row level security.

When I click on my dataset > security, I see all my organisation emails but I don't see my Power BI Group.

Heidebrink Frequent Visitor
Frequent Visitor

Re: Groups for access versus groups for roles?

So have you gotten this to work with Dynamic Distribution Groups?