I have a report and would like to limit my users data access using RLS so they can only see the data that pertaints to them. I have about 75 differenct users that will all have their own specific data sets.
I am relatively new to PBI and RLS is a new concept for me. I've read some tutorials and it seems fairly straight forward. I create roles in PBI desktop, upload to a workspace, and then give access by email address. I have a few questions:
I only have one pro account. Do all users have to have one?
Is there a way assign RLS based on a table so it is easier to manage?
Any other suggestions or references are greatly appreciated. Thanks!
Solved! Go to Solution.
Hi @heroyo -
Hope this helps!
Thanks @selimovd, I wish I could use the groups but I have 75 sales poeple and we don't want of them to see each other's performance.
Is it theoretically possible to create one group per person? It would be a lot to implement but it is the only solution I could think of other than creating 75 individule reports. Are there any other ways to approach this problem?
Hey @heroyo ,
yes, you can add a dynamic row level security, where every user just can see his own data.
For that you need a table with the user information, like an employee table with the email address of each employee.
This table you can filter on the USERPRINCIPALNAME(), what is the function to get the email address of the currently logged in user. Like this the user can only see his own data.
Check the following article on how to do that:
Hi @heroyo -
Hope this helps!
Thanks @Sumanth_23 this looks like an ideal solution. Would this work if I had only one premium account or would all my users have to have a pro account?
hi @heroyo - your users would also be required to have a Premium per User (PPU) license to access the reports that you publish - else if you have a Pro license then other users would also require a Pro license to view the reports
Below is the Microsoft documentation on the features for each of the license types:
|License type||Capabilities when workspace is in shared capacity||Additional capabilities when workspace is in Premium capacity|
|Power BI (free)||Access to content in My Workspace||Consume content shared with them|
|Power BI Pro||Publish content to other workspaces, share dashboards, subscribe to dashboards and reports, share with users who have a Pro license||Distribute content to users who have free licenses|
|Power BI Premium Per User||Publish content to other workspaces, share dashboards, subscribe to dashboards and reports, share with users who have a Premium Per User license||Distribute content to users who have free and Pro licenses|
Happy to help!
Hello @heroyo ,
usually you would not give access by individual email addresses. You would create active directory groups and assign the users to the group. So you could create a group "UK", one for "US", one for "France" and one for "Germany" and assign the user by what they should see. Then you would create a role for people who should be allowed to see only "UK", one role for people who should see only "US" etc.
Then for each dataset you have to assign the corresponding ad group to each role. When you have then a new user responsible for "UK" you just add him to the ad-group and he automatically has access to the correct data.
If the people work together in a workspace they all need a pro account.
If you have premium capacity you can let the workspace run in premium capacity, people who only consume reports don't need an extra license, everyone creating a report still needs a pro license.
Also take a look at the REST API to script a few of the tasks, also for ad groups.
Check out new user group experience and if you are a leader please create your group!
On-demand access to all the great content presented by the product teams and community members! #MSBizAppsSummit #CommunityRocks
Mark your calendars and join us for our next Power BI Dev Camp!