Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Grow your Fabric skills and prepare for the DP-600 certification exam by completing the latest Microsoft Fabric challenge.

Reply
MFoo
Frequent Visitor

Publishing PBI does not always respect RLS

‎06-13-2022 10:20 PM
We're a PowerApps ISV company and we have a solution that's a model-driven app based on PowerApps, it's an evolution from the original offering that was based off D365. 
 
We generate a lot of data and we're looking into expanding our reporting offering and PowerBI seems like the logical solution but I'm having inconsistent results when publishing a PBI report to PowerBI.com for consumption from within the model-driven app.
 
Right. So just putting out there that initial presumptions are that all users involved in the testing have the following:
  • Valid PowerBI Pro license
  • Valid PowerApps licence
  • Access to the PBI workspace that stores the published PBI report
  • Access to the correct security role(s) in PowerApps and access to at least a subset of the total records in PowerApps that are shown on the PBI report.
  • The report for in-PowerApps consumption is direct-query.
Having stated all that, PowerBI publishing a report to powerbi.com can be done 2 ways.
  1. Open PowerBI.com and pull the report up from a file source (local file, etc).
  2. Open PowerBI Desktop and push the report up to Powerbi.com
We've deployed a simple test report into our dev environment and tested the security features/functionality initially using the second method and the results were discouraging.
 
I had a colleague emulate a lower-security user with access to a single client, and he should have only seen the results from a small subset of the total data stored in the dev environment.
 
Using the first method, my colleague could access the report and had visibility of ALL data in the system, it was not honouring his role-level security or visibility settings.
 
We played around with this for a bit (security settings, multiple refreshes, etc) and we were not able to get it to work.
 
Eventually we republished the report using the second method, from within PowerBi Desktop and we got very different results. This time the report showed the expected results.  My colleague was limited to the expected 33 records from the total available pool of 251 (plus thousands of related records).
 
So what this says is that there's a difference in the logic being applied between publish actions from the desktop app and the website.  Has anyone else had this experience or is this something new?  Should these two methods be the same (if not, maybe the naming should clarify that)?

Please help!  We need to find certainty because I need to guide all the team doing deployments/consulting/etc.  Thanks all!
Labels:
Message 1 of 3
406 Views
2 REPLIES 2
MFoo
Frequent Visitor

‎06-16-2022 08:03 PM

Hey Eason, 

 

Thanks for the reply.  

 

For an ISV, PowerBi's RLS is rubbish.  Any data system will have security measures in place and the expectation to replicate that in a separate reporting system is a complete waste of time, unless of course you're paid by the hour.

 

Direct Query PowerBI reports from SQL Server with credential pass-through WILL and DOES honour the user's security settings IF you publish "correctly", as per my original post.

 

My question is why is there a difference?  And secondly, should there be a difference?  I would think that publishing a report from PowerBI desktop to Powerbi.com via ANY of the mechanisms Microsoft provide should be a consistent experience with consistent end results, surely?

 

Or is that not what I should be expecting?  Happy to be wrong but would love to understand why.

Message 3 of 3
339 Views
0
v-easonf-msft
Community Support
Community Support

‎06-16-2022 07:42 PM

Hi, @MFoo 

Row-level security (RLS) with Power BI can be used to restrict data access for given users.

Typically, you need to add user accounts as workspace "Viewer" and add them to the RLS roles you create. RLS does not apply to workspace members who are assigned Admin, Member, or Contributor.

 

Using RLS with workspaces in Power BI
If you publish your Power BI Desktop report to a new workspace experience in the Power BI service, the RLS roles are applied to members who are assigned to the 'Viewer role' in the workspace. Even if Viewers are given Build permissions to the dataset, RLS still applies. For example, if Viewers with Build permissions use Analyze in Excel, their view of the data will be protected by RLS. Workspace members assigned Admin, Member, or Contributor have edit permission for the dataset and, therefore, RLS doesn’t apply to them. If you want RLS to apply to people in a workspace, you can only assign them the Viewer role. Read more about roles in the new workspaces.
 

Best Regards,
Community Support Team _ Eason

Message 2 of 3
342 Views
0

Helpful resources

Announcements
Europe Fabric Conference

Europe’s largest Microsoft Fabric Community Conference

Join the community in Stockholm for expert Microsoft Fabric learning including a very exciting keynote from Arun Ulag, Corporate Vice President, Azure Data.

RTI Forums Carousel3

New forum boards available in Real-Time Intelligence.

Ask questions in Eventhouse and KQL, Eventstream, and Reflex.

MayPowerBICarousel1

Power BI Monthly Update - May 2024

Check out the May 2024 Power BI update to learn about new features.

View All
Top Solution Authors
View All