Skip to main content

    Power BI

    Needs Votes

    Add a default role for row level security

    Vote (281) Share
    Jon Jowsey's profile image

    Jon Jowsey on 17 Aug 2016 07:46:21

    I want to be able to assign all users (including new ones) to a default role in RLS. Currently I have to assign each user to the role manually, and update the roles manually when users change.

    This limits the ability to use RLS with a larger user base.

    Comments (25)
    Jon Jowsey's profile image Profile Picture

    e2aab312 0556-4b18-90ec-48744ac868b3 on 05 Jul 2020 22:58:10

    RE: Add a default role for row level security

    Fully agree. This functionality is very much needed to simplify access management.

    Jon Jowsey's profile image Profile Picture

    cddbc733 90ad-4f11-a324-fe4f6f243abc on 05 Jul 2020 22:56:11

    RE: Add a default role for row level security

    I agree with this aswell. It should be something like 'User Level Security' where anyone that has not been assigned a role can have their data scoped down by attributes found on the Username () model.

    For example 'jay.killeen@domain.com' accesses the report and has no role assigned. Behind the scenes PowerBI finds my Username () .

    Option 1. Username () inner joins on my User model by matching Username () -> User.email. All other models are inner joined on User therefore all data is then scoped down by the single entity User that has been matched by Username () .

    Option 2. Username () itself in AD has fields such as Division, Region or even Role etc and rules can be set (similar to existing RLS Table Filter rules) that utilise the value of these fields.

    Under Option 2 you might have a rule on the Region table that sets Region.Code = Username () .RegionCode.

    This way anyone logging in, that has no role assigned could have filters applied based on the User Level Security filters.

    I'd then simply be able to set my rules by user and expect my 1000+ members to be scoped down based on those rules and their attributes can be managed centrally in AD.

    This is how it is done in web frameworks such as Ruby on Rails (see the Pundit Gem or CanCan)

    Jon Jowsey's profile image Profile Picture

    366ab485 97d0-417c-82af-ee8169fe8424 on 05 Jul 2020 22:45:59

    RE: Add a default role for row level security

    Were you able to find a solution for this issue? I have the same problem...

    Jon Jowsey's profile image Profile Picture

    233f7263 6b64-40d2-a044-cd6cb0dd5fe1 on 05 Jul 2020 22:37:03

    RE: Add a default role for row level security

    Default role should be assigned through the PBI service. This is especially important once you have implemented dynamic RLS.

    Jon Jowsey's profile image Profile Picture

    221e86f4 76d6-4057-8607-81d9dd589004 on 05 Jul 2020 22:33:09

    RE: Add a default role for row level security

    RLS is set at both the data level in the Desktop and then at the Dataset level in the service. I am using the "Username () " DAX function in the desktop to set up a role and join this to a pre-built 2 column table of user ids and Branches each user has access to.
    The issue is that in the Service, at the dataset, I need to manual add each user. There should be an option to have ALL users applied the RLS.