Skip to main content
cancel
Showing results for 
Search instead for 
Did you mean: 

Earn the coveted Fabric Analytics Engineer certification. 100% off your exam for a limited time only!

Reply
dnsnikul
Frequent Visitor

Power BI Apps and Reports Dynamic RLS

Hello everyone, I ask you to help with the Power BI Service - there is a report "Report1" made by dynamic RLS for the role "Role1", everything works well in the power bi desktop.

1. We publish the report "Report1" in Power BI Services and then add this report to the Power App for this workspace.

2. Add the user to the "Role1" role in the "Report1" security settings.

3. We go into the App and in the security settings give the user access to the App. The user opens the App and everything works fine.

 

Question - is it possible to make it so that without adding a user to the "Role1" role at the report level, the user can see the data on this report in the App? since if you do not add the user to the role "Role1", then at the App level he sees that the report exists, but does not see the data in it.

How to avoid manual input of each user at the report level and for dynamic RLS to work? (that is, we add the user at the App level and that's it) Maybe we can try somehow through measures?

 

As I see this situation - only one way (maybe also through measures, but I don't know yet) is to add all users manually to the "Role1" role at the report level. Because what we provide access at the app level is access to the visibility of the app, not the data in the reports in the app

1 ACCEPTED SOLUTION
ibarrau
Super User
Super User

Hi. I don't think you can get rid of all manual interaction. However you can reduce it. I usually create AD Groups for this. All users in the same role can be added in a group. That way you can add the group to RLS rules in service and add the group to the App sharing.

Now the manangement can be done by IT team. New member in AD, add it to the group and everything will be shared and with the permission required. You can centralize the configuration in a single group if you make it that way.

I hope that helps,


If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

Happy to help!

LaDataWeb Blog

View solution in original post

5 REPLIES 5
Burningsuit
Resident Rockstar
Resident Rockstar

Hi @dnsnikul 

It looks like you've actually configured what is called "static" RLS.

In your role, on the Table, you have something like [security] = "yes" This means that any user who has that role will only see rows where the column [security] contains "yes".

You are right that in this case you have to add each user to the role to have it apply to them.

You could add a Distribution Group, Security Group or Mail-enabled Group to the role. Then you'll need to add the users to the group you've used each time you want to add or subtract a users from the security role. Then you don't need to go into Power BI to change the secirity, just change the group.

Alternatively, you could use "dynamic" RLS. This is where the security role says something like [Security] = USERPRINCIPALNAME() and is assigned to everyone. This means that the rows are made visible for users where the column [security] matches their Power BI login name (for example "fred@contoso.com" ).

This is very powerful as it places the security in the data, rather than in Power BI. To change security you change the data and refresh the Power BI dataset rather than going into Power BI and adding users to the role. The DAX in the Table Filler DAX expression can be used to implement all manner of security solutions.

See Dynamic Row Level Security with Power BI Made Simple - RADACAD

Hope this helps

Stuart

Thanks, but you misunderstood, I already use dynamic RLS with USERPRINCIPALNAME (), everything works well. My question is how not to constantly add users to my role in which dynamic RLS is running

Well, like @ibarrau I'd just have one AD group with everyone in it, and assign that to the dynamic role in Power BI. I think that's your only option.

Stuart

ibarrau
Super User
Super User

Hi. I don't think you can get rid of all manual interaction. However you can reduce it. I usually create AD Groups for this. All users in the same role can be added in a group. That way you can add the group to RLS rules in service and add the group to the App sharing.

Now the manangement can be done by IT team. New member in AD, add it to the group and everything will be shared and with the permission required. You can centralize the configuration in a single group if you make it that way.

I hope that helps,


If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

Happy to help!

LaDataWeb Blog

Yes, thank you, this option was also considered, but the customer wants to try to do without connecting another group that deals with AD

Helpful resources

Announcements
April AMA free

Microsoft Fabric AMA Livestream

Join us Tuesday, April 09, 9:00 – 10:00 AM PST for a live, expert-led Q&A session on all things Microsoft Fabric!

March Fabric Community Update

Fabric Community Update - March 2024

Find out what's new and trending in the Fabric Community.

Top Solution Authors
Top Kudoed Authors