I have a Powerbi report which has RLS Implement through a dimension table
I have created Roles with individual email ID and user principal name and this seems to be working perfectly well .
however when I want to add close to 600 users, I have created a Distribution list And when I put the DL in the role it does not seem to work.
All the users have premium subscription.
Any pointers here will be much appreciated
Related
I created a role in Power BI desktop - filters the data using UserPrincipalName().
I go to Security in the Power BI Service and add a member to the role. Everything works great!
Now, I need to add another 799 members to this role. Isn't there an easier way? How do I make this work so that for any user that runs the report, the filter kicks in and the user sees all data related to them, without explicitly adding them to the role I defined?
Here's what I ended up doing:
User = CONCATENATEX(Responses, IF(Responses[Feedback For] = USERPRINCIPALNAME(), "This User", "Other User"))
I created a measure called User and added this measure as a filter - locked it and made it invisible.
I have a weird issue with the Row Level Security in Power BI - for some users the RLS is working while for other it isn't.
Here is my situation:
I have a workspace in Power BI Service. All users are defined as "Viewers", including the user A and user C:
I have a Power BI dataset & report with 2 RLS roles:
"Alles": a role with no filters
"MA-Aus": a role with a filter that filters out the entire table "MA Auslastung":
I deployed the dataset & report to Power BI service and map the users to the RLS roles. I add user A and user C into the "MA-Aus" role. This means they shouldn't see any data from the "MA Auslastung" table:
I go to "Test as Role" to check if everything is working as expected:
I test the "MA-Aus" role. No value is shown in the "MA Sollzeit". This is correct - the table is filtered out, so the measure is blank.
I test the user A. No value is shown in the "MA Sollzeit". This is correct - the table is filtered out, so the measure is blank.
- I test the user C. "MA Sollzeit" returns value. The filter is not applied, RLS is not working.
What is happening here? Both users are configured correctly (viewers in the workspace, added to the role). For user A the RLS is working while for user C the filter from the role is not applied.
I am wanting to know how secure Row-Level Security is.
We are currently working on creating a dashboard that would be shared with 500 users within our organisation. All of these users are managers and we would be using dynamic row-level security so that each user would only be able to view information in the dashboard related to their own team.
I have tested RLS and it worked fine, but I have had another Power Bi user tell me that RLS is not completely secure as my base data is coming from excel. My base data is in excel, but I convert it into a pbix file in Power Bi desktop before creating the role, then publishing to power bi service, where I assign users to the role and give read only access.
I am wondering once I have shared the dashboard with these users is there any way for them to get around the RLS and access the base data?
Thanks in advance,
Amy
There are a number of factors to consider for imported data.
If the user can download the report, they could remove the role and access all the data. I would recommend turning this off in the Power BI Admin protal for selected users, or an AD group.
They could connect to the dataset via Excel or another report and get the data that way without the role level filter being used. Having them as read only is one way of stopping them altering the report. I would suggest deploying the report as an app, then they can only access the surfaced report not the underlying dataset.
We currently host data for multiple users in our database. I'd like to implement embedded power BI into our web app. When the user logs into our system, I'd like the data source to be filtered according to the user that is logged in, so e.g. SELECT * FROM Table1 WHERE ItemID in (ItemID1, ItemID2) etc..., we aren't going to know what ItemID1, ItemID2 etc... are until after the user has logged on.
Is this possible with PowerBI embedded?
To filter data for Power BI users based on which user is logging in to the embedded web app, complete the following:
Sample:
Create a table to store the usernames for each filter "group."
You will use DAX to create a measure to identify the users from your table, and assign them to a specific user role group. Below is the DAX to use:
[USERNAME] = [Current User]
Create the measure described in point #2 in the Row-Level security settings. By creating different "groups" for the users, you are essentially dynamically-building a "filter," where you only show the users what they should be seeing--thus resulting in pseudo-filtering. For more information see the following:
https://learn.microsoft.com/en-us/power-bi/desktop-tutorial-row-level-security-onprem-ssas-tabular
http://community.powerbi.com/t5/Service/Restricting-filters-to-specific-users-in-Power-BI-report/td-p/109111
Hope this helps!
I am running in this strange issue:
first I prepared some report with power BI desktop
then I go into "Manage Role" to create a rule that show data only for region ="Italy"
I upload the report to the power BI Services
I go to the security tab under dataset and associate some users (myuser#mytenant.com) to the rule
Finally I create a sharepoint page, where I embed the reports I prepared
When I access the report with myuser#mytenant.com I see all the data and not only the region = "Italy" as desired.
What is wrong with the rule?
Another strange thing is, testing the rule is fine, when I test an user the rule doesn't work...
Anybody anyidea?
thx a lot!
The typical "gotcha" is that the Power BI App Workspace (group) settings are left to the default: Members can edit Power BI content. For RLS to work, this needs to be changed to Members can only view Power BI content.
You make this change by logging in to app.powerbi.com (as a group admin), and using the left nav to choose the App Workspace (group) and then Edit Workspace.
This is described in the doco:
https://learn.microsoft.com/en-us/power-bi/service-admin-rls#using-rls-with-app-workspaces-in-power-bi
If you publish your Power BI Desktop report to a workspace within the Power BI service, the roles will be applied to on read-only members. You will need to indicate that members can only view Power BI content within the workspace settings.
Note:
If you have configured the workspace so that members have edit permissions, the RLS roles will not be applied to them. Users will be able to see all of the data.
official documentation: Using RLS with workspaces in Power BI