Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Register now to learn Fabric in free live sessions led by the best Microsoft experts. From Apr 16 to May 9, in English and Spanish.

Reply
SamTrexler
Helper IV
Helper IV

Groups for access versus groups for roles?

‎07-28-2016 02:11 PM

It appears that the groups used to control access to reports are not consistent with the groups used for roles in RLS. Is this correct? If so, there will be a big headache managing users and their access privileges!

 

As I understand it, after quite a bit of testing and research:

  • Power BI groups:
    • Allow you to share reports and dashboards with a user community, controlling access - works great
    • Cannot use an existing Office 365 security group, or add an Office 365 security group as a "member"
  • Roles defined for Row-Level Security:
    • Can control what data a user sees - very helpful, works fine, I just need to learn DAX better
    • Cannot add a Power BI group as a "member"

So it appears I have to set up two different groups to use these two features, and make sure I keep my users and groups synchronized manually? What a headache!

 

Does anyone have a solution for this?

 

Thanks.

Labels:
Message 1 of 9
15,206 Views
1 ACCEPTED SOLUTION
v-qiuyu-msft
Community Support
Community Support
In response to SamTrexler

‎08-08-2016 04:35 AM

Hi @SamTrexler,

 

1. "If I understand you correctly, the Power BI group will control access to the reports and dashboards, but has nothing to do with RLS. RLS has to be defined and managed separately, and separate groups set up for that if needed. Is that right?"

 

Yes, you are correct. Power BI group and RLS are different features, they are configured separately.

 

2. could you clarify for me your statement that "if you create a Power BI group, and set a member as group admin, the user can share the dashboard with Office 365 distribution group" (emphasis mine)? According to my security admin, "The only groups available in AD are office 365 groups, distribution, dynamic distribution, security and universal." Which type(s) of groups are you referring to with these two phrases? My testing isn't working as expected, so I need to know which types of groups work for this.

 

AS you said "If make make him an Admin of the group, he can edit the reports shared with the HelpDesk group; and", I assume the member is a admin of the Power BI group, and explain the RLS is not applied for this member in this scenario.

 

What I mentioned  "user can share the dashboard with Office 365 distribution group" is that . And I have tested in lab about add Office 365 security group as a member of RLS role and it's working.

 

Best Regards,
Qiuyun Yu

 

 

Community Support Team _ Qiuyun Yu
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

View solution in original post

Message 6 of 9
20,966 Views
8 REPLIES 8
SamTrexler
Helper IV
Helper IV

‎08-01-2016 09:38 AM

@v-qiuyu-msft, thanks for your reply. I understand what you have described, and have tested it. But it means that I have to create two separate groups to control the users' access - one to control whether they can see and/or edit rports and dashboards, and another to control what they can see. That means I've got to set up manual procedures to make sure I keep these two groups in sync, etc. - or purchase (or write) some software to do the synchronization for me.

 

What I am looking for is a way to do this with a single group. For example, if I add james.smith to the the HelpDesk group then the following should happen:

  • James can run any report or dashboard shared with the HelpDesk group;
  • If make make him an Admin of the group, he can edit the reports shared with the HelpDesk group; and,
  • Row-Level Security will restrict which rows he can see, e.g., only those for stations that he is responsible for (unless he is an Admin, in which case he sees all rows).

As it stands now, unless I am missing something, I have to set up one kind of group (an Office365 group) to do the first two, and another kind of group (a security group) to do the last item. And that will be a big administrative headache.

 

Am I missing something? Is there a way to accomplish this? It seems ludicrous to force different groups for the different aspects of controlling access. I have submitted an "idea" to make these two areas consistent - that is, to allow either type of group to be used for both types of access. That way, I can still use two groups if I want to but I can use a single group if that makes sense, and ease the administrative work required to maintain the group and its reports and dashboards. Being able to use a single group will also limit the number of groups we need to have, which will further increase sharing of the reports and dashboards - and information.

 

But I'm hoping I have simply missed something, and someone can show me how to get this done. Is there any way to use a single group?

 

Thanks,

 

Sam

 

Message 3 of 9
15,182 Views
v-qiuyu-msft
Community Support
Community Support
In response to SamTrexler

‎08-03-2016 05:50 AM

Hi @SamTrexler,

 

  • James can run any report or dashboard shared with the HelpDesk group;

       Do you mean the HelpDesk group is a Office 365 group?

 

  • If make make him an Admin of the group, he can edit the reports shared with the HelpDesk group; and,

        Do you mean the group of "Admin of the group" is Power BI group or Office 365 group?

 

  • Row-Level Security will restrict which rows he can see, e.g., only those for stations that he is responsible for (unless he is an Admin, in which case he sees all rows).

         In a Power BI group, the member who can edit the report or is owner of the dataset, RLS is not applied for this user.

 

In your scenario, if you create a Power BI group, and set a member as group admin, the user can share the dashboard with Office 365 distribution group, and he can also edit dashboards, reports and datasets with the group. But at the same time, RLS settings set for datasets within this Power BI group will not applied for this user.

 

Best Regards,
Qiuyun Yu

 

 

Community Support Team _ Qiuyun Yu
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.
Message 4 of 9
15,170 Views
0
SamTrexler
Helper IV
Helper IV
In response to v-qiuyu-msft

‎08-03-2016 08:54 AM

@v-qiuyu-msft, thanks for the reply and confirmation. If I understand you correctly, the Power BI group will control access to the reports and dashboards, but has nothing to do with RLS. RLS has to be defined and managed separately, and separate groups set up for that if needed. Is that right?

 

Also, could you clarify for me your statement that "if you create a Power BI group, and set a member as group admin, the user can share the dashboard with Office 365 distribution group" (emphasis mine)? According to my security admin, "The only groups available in AD are office 365 groups, distribution, dynamic distribution, security and universal." Which type(s) of groups are you referring to with these two phrases? My testing isn't working as expected, so I need to know which types of groups work for this.

 

Thanks for your help.

 

Sam

Message 5 of 9
15,165 Views
0
v-qiuyu-msft
Community Support
Community Support
In response to SamTrexler

‎08-08-2016 04:35 AM

Hi @SamTrexler,

 

1. "If I understand you correctly, the Power BI group will control access to the reports and dashboards, but has nothing to do with RLS. RLS has to be defined and managed separately, and separate groups set up for that if needed. Is that right?"

 

Yes, you are correct. Power BI group and RLS are different features, they are configured separately.

 

2. could you clarify for me your statement that "if you create a Power BI group, and set a member as group admin, the user can share the dashboard with Office 365 distribution group" (emphasis mine)? According to my security admin, "The only groups available in AD are office 365 groups, distribution, dynamic distribution, security and universal." Which type(s) of groups are you referring to with these two phrases? My testing isn't working as expected, so I need to know which types of groups work for this.

 

AS you said "If make make him an Admin of the group, he can edit the reports shared with the HelpDesk group; and", I assume the member is a admin of the Power BI group, and explain the RLS is not applied for this member in this scenario.

 

What I mentioned  "user can share the dashboard with Office 365 distribution group" is that . And I have tested in lab about add Office 365 security group as a member of RLS role and it's working.

 

Best Regards,
Qiuyun Yu

 

 

Community Support Team _ Qiuyun Yu
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.
Message 6 of 9
20,967 Views
Heidebrink
New Member
In response to v-qiuyu-msft

‎06-23-2017 08:01 AM

So have you gotten this to work with Dynamic Distribution Groups? 

Message 9 of 9
13,925 Views
0
mgo
New Member
In response to v-qiuyu-msft

‎12-14-2016 05:34 AM

Hi,

 

I have created one Group on Power BI which name is powerbi_testrls which have read access only as mentioned.

I've created a rôle which name is User US which implement row level security.

When I click on my dataset > security, I see all my organisation emails but I don't see my Power BI Group.

Message 8 of 9
14,901 Views
0
jadhav_vilas84
Advocate II
Advocate II
In response to v-qiuyu-msft

‎09-30-2016 09:58 PM

Hi, 

 

I have 5 roles ,Role-1 , Role-2 , Role-3,Role-4,Role-5. 

 

On power Bi , I had added emails on particular Roles group , I have multiple user for Support , and these users have all groups access , How Can I manage all roles in Power Bi , or How Can I create Support Role group  in Power Bi desktop,

I have One  table RoleGroup 

Role_CodeRole_Name
1Role-1             
2Role-2             
3Role-3             
4Role-4             
5Role-5             

 

and In Power BI desktop I had assign Each role = [Role_Code] = "1" or other values. 

 

How Can I manage for Support Role =  [Role_Code] in ("1","2","3","4","5")

 

Please guide. 

 

tthanks 

vilas jadhav 

 

Message 7 of 9
15,097 Views
0
v-qiuyu-msft
Community Support
Community Support

‎07-30-2016 12:37 AM

Hi @SamTrexler,

 

 

In Power BI Service, RLS is used for restricting data access for given users, while the group workspace is used for restricting group members to view or edit group content.

 

But we can use those two features at the same time. We can use RLS feature for a dataset which is stored in a Power BI group workspace. But the roles will be applied to read-only members. So in a group, we need to specify the member which added under roles only can view content like below:

 

rls-group-settings.png

 

If you have any question, please feel free to ask.

 

Best Regards,
Qiuyun Yu

 

 

Community Support Team _ Qiuyun Yu
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.
Message 2 of 9
15,187 Views
0

Helpful resources

Announcements
Microsoft Fabric Learn Together

Microsoft Fabric Learn Together

Covering the world! 9:00-10:30 AM Sydney, 4:00-5:30 PM CET (Paris/Berlin), 7:00-8:30 PM Mexico City

PBI_APRIL_CAROUSEL1

Power BI Monthly Update - April 2024

Check out the April 2024 Power BI update to learn about new features.

April Fabric Community Update

Fabric Community Update - April 2024

Find out what's new and trending in the Fabric Community.

View All
Top Solution Authors
View All
Top Kudoed Authors
View All