I created a role in Power BI desktop - filters the data using UserPrincipalName().
I go to Security in the Power BI Service and add a member to the role. Everything works great!
Now, I need to add another 799 members to this role. Isn't there an easier way? How do I make this work so that for any user that runs the report, the filter kicks in and the user sees all data related to them, without explicitly adding them to the role I defined?
Here's what I ended up doing:
User = CONCATENATEX(Responses, IF(Responses[Feedback For] = USERPRINCIPALNAME(), "This User", "Other User"))
I created a measure called User and added this measure as a filter - locked it and made it invisible.
Related
I have a Power BI report that I publish as an app to several people.
Let's assume, the report has a table "Reps" and a table "Customers".
The "rep table" has the following interesting columns:
Rep Name
Rep Nr
Region
The "Customer table" has the following interesting columns:
Rep Nr
Customer Nr
Customer Name
The "Rep Nr" is the join key, while it is a many to many (m:n) relationship, where the direction is "rep" filters "customer".
With RLS, I created different roles. For example:
Region 1: [REGION_CODE] = "1"
Region 2: [REGION_CODE] = "2"
Rep: [Rep User Principal] = userprincipalname()
The setting is, that I advise a complete (email/user) distribution list to the role Rep by default. In this role, everyone is included, and each rep sees only his customers.
In the role region 1 are some people included, that can see not only his customers, but all customers of this region.
This worked perfectly fine for more than a year. It was never a problem to assign a user to several roles. However, since approximately mid of Cecember 2021, it does not work anymore. I did not change anything. People who are assigned to n roles, cannot see any data.
The message I get in Power BI Desktop:
Couldn't load the data for this visual.
The user belongs to multiple roles 'Region 1, Rep' that have security filters, which isn't supported when one of the roles has filters affecting table 'Customers' with SecurityFilteringBehavior=Both relationships.
Does anyone know if Microsoft/Power BI changed anything that explaines this behavior?
Does anyone know if I can easily change it to the old setting?
There was a change that broke this around the December 2021 update.
Source (See response from v-jayw-msf): https://community.powerbi.com/t5/Service/Dashboard-with-multiple-RLS-roles-work-in-My-Workspace-but-fails/m-p/2264783#U2264783
This was not resolved as of 2/7/2022, but two workarounds have been provided in the Microsoft documentation.
Source: https://learn.microsoft.com/en-us/power-bi/admin/service-admin-rls#issue-multiple-roles-and-limited-relationships
I have a Powerbi report which has RLS Implement through a dimension table
I have created Roles with individual email ID and user principal name and this seems to be working perfectly well .
however when I want to add close to 600 users, I have created a Distribution list And when I put the DL in the role it does not seem to work.
All the users have premium subscription.
Any pointers here will be much appreciated
I am wanting to know how secure Row-Level Security is.
We are currently working on creating a dashboard that would be shared with 500 users within our organisation. All of these users are managers and we would be using dynamic row-level security so that each user would only be able to view information in the dashboard related to their own team.
I have tested RLS and it worked fine, but I have had another Power Bi user tell me that RLS is not completely secure as my base data is coming from excel. My base data is in excel, but I convert it into a pbix file in Power Bi desktop before creating the role, then publishing to power bi service, where I assign users to the role and give read only access.
I am wondering once I have shared the dashboard with these users is there any way for them to get around the RLS and access the base data?
Thanks in advance,
Amy
There are a number of factors to consider for imported data.
If the user can download the report, they could remove the role and access all the data. I would recommend turning this off in the Power BI Admin protal for selected users, or an AD group.
They could connect to the dataset via Excel or another report and get the data that way without the role level filter being used. Having them as read only is one way of stopping them altering the report. I would suggest deploying the report as an app, then they can only access the surfaced report not the underlying dataset.
I'm kind of new to PBI and I'm looking if it's the right tool for my case.
I would like to use Power BI Embedded in a web application for our customer (where they're logged in) which do not have any Power BI account/licence.
The database on which the reports are based are on-premise so we're would use Analysis Service Live Connection to access them.
Each customer should have his own report.
Is it possible to use RLS in that case?
Does that mean we've to create a role for each of them?
What username should be given in the EffectiveIdentity? Is it 'free text' that is used by PBI to get the username in the DAX?
If each customer will have his own report, then why do you need RLS at all? Just make the report to show what the user is supposed to see. Or you want to have a single report (or set of reports), which is shared between the users and they should see only their data? I will assume it is the later one.
I will start with the last question - the effective identity is not a "free text". It must be a valid user name, having rights to access the data, as specified in the documentation:
The effective identity that is provided for the username property must be a Windows user with permissions on the Analysis Services server.
The you can define RLS in your Analysis Service model, by adding a "users security" table, where you specify which rows should be visible to each user. Define relationships between this users security table and other tables in the model, and then let RLS to filter the data in the security table. The relationships with the rest of the model will apply cascade filtering on the data, so only relevant rows will be visible to the user. See Implement row-level security in an Analysis Services tabular model for example.
So the answer of your second question is no, you don't need a separate role for each user, because the filtering is based on the username and for every user it filters the same thing the same way.
I am running in this strange issue:
first I prepared some report with power BI desktop
then I go into "Manage Role" to create a rule that show data only for region ="Italy"
I upload the report to the power BI Services
I go to the security tab under dataset and associate some users (myuser#mytenant.com) to the rule
Finally I create a sharepoint page, where I embed the reports I prepared
When I access the report with myuser#mytenant.com I see all the data and not only the region = "Italy" as desired.
What is wrong with the rule?
Another strange thing is, testing the rule is fine, when I test an user the rule doesn't work...
Anybody anyidea?
thx a lot!
The typical "gotcha" is that the Power BI App Workspace (group) settings are left to the default: Members can edit Power BI content. For RLS to work, this needs to be changed to Members can only view Power BI content.
You make this change by logging in to app.powerbi.com (as a group admin), and using the left nav to choose the App Workspace (group) and then Edit Workspace.
This is described in the doco:
https://learn.microsoft.com/en-us/power-bi/service-admin-rls#using-rls-with-app-workspaces-in-power-bi
If you publish your Power BI Desktop report to a workspace within the Power BI service, the roles will be applied to on read-only members. You will need to indicate that members can only view Power BI content within the workspace settings.
Note:
If you have configured the workspace so that members have edit permissions, the RLS roles will not be applied to them. Users will be able to see all of the data.
official documentation: Using RLS with workspaces in Power BI