RLS in Power BI

Row-level security in Power BI

To ensure that data in Power BI reports do not fall into the wrong hands, it is possible to apply Row-Level Security (RLS) to any report within a workspace. This ensures that for each recipient of the report a difference can be made in what data they can see. It is important that the setup is done accurately and that the members of a workspace are assigned the right role to prevent them from seeing too much information, for example. This RLS layout of the online workspaces in Power BI has changed in the last few months. In this blog, we explain what to pay attention to when setting up a new workspace and setting up the renewed RLS in Power BI.

RLS in Power BI in practice

A good example of the application of RLS is in a multi-branch store chain, where each branch manager is responsible for his own store.  Each branch manager is only allowed to see the figures of his own store. Because of RLS it is no longer necessary to create a separate report for each store manager.

RLS for published dashboards is set up in Power BI Desktop under the Modeling tab. For each role, the report must indicate which tables are to be filtered. Different columns within a table can be filtered, for example on the Place column. Below is an example of the role for a branch manager in Rotterdam.

Apply filter storeID

By filtering the region of the store on Rotterdam, the transaction table is also filtered on data from Rotterdam, provided a relationship is established between these two tables. When there are several branches in Rotterdam, managers from this city will be able to view each other’s figures in the current set up. In some cases, this may not be desirable. To prevent this, it is possible in this dataset to filter one level deeper through a unique field per store. In our example this is StoreID. As long as each StoreID in our dataset is unique, each manager will only be able to see data of his own store. A separate role should be created for each manager.

Row-level security in Power BI 2

Once the report is published, the email addresses can be added to the corresponding role in the Power BI Service. It is possible to link 1 email address to different roles. This situation can occur when for example a manager (temporarily) takes over another branch. An e-mail address can be deleted at any time, which means that the rights to view the data expire immediately for the person in question. It is therefore important that a designated person maintains and updates the RLS rights.

Roles in new workspaces

As previously mentioned, the functionalities of workspaces have recently been renewed by Microsoft. Within the old workspaces, you could only assign the roles Member or Administrator to a person. In the new situation there are four different roles:

  • Viewer is the read-only role. With this role, it is not possible to edit or change reports. Attention! When a report uses RLS, all users must get at least the role of viewer, otherwise the RLS will not work.
  • Contributor is the role assigned to persons who need to be able to publish, edit, update and delete reports. This is a role for the developers in the team for example. However, the contributor does not have the right to share reports or add users to the workspaces.
  • In addition to publishing, editing and updating, a Member can also share the reports with others. They also have the rights to add users with the same or lower roles (Viewer and Contributer).
  • An Admin has all the functionalities that the lower roles have, but in addition administrators can also remove workspaces and make other people administrator. Administrators are also allowed to remove people from the workspaces.

Creating new workspaces

Besides the new roles, creating a workspace is also different. When creating an old workspace, an Office 365 group was always created. With the introduction of the new workspaces, a workspace is created without an Office 365 group. The workspaces only exist in the Power BI environment. Because of this, the workspaces do not automatically appear in for example Teams. In the past, this was experienced as confusing by many users.

It is possible to convert an existing workspace to a new workspace. This is easy to change under the advanced settings. This option can be found in the workspace settings.

In the old workspaces, all members can be seen separately. When converting to the new workspace, these members are clustered into a group with the name of the workspace. You can see which members are in the group on the Office 356 site. We recommend converting old workspaces to new workspaces so you can assign more specific roles to people.

This concludes RLS in Power BI. If you want to know more about RLS or Power BI in general, please contact Paul!

Latest Blog Posts

10+ Data & Automation Solutions that will transform your business

Use this webpage for information about more than 10 solutions that we think will help your solid ideas take flight. A Data & Automation solution Line Up so to say.

Read more

Harnessing Data Power with DBT; Elevating Business Practices

In today’s data-centric business environment, mastering the art of transforming data into actionable insights can dramatically differentiate leaders from followers. Have you ever been in a situation where you doubted the reliability of your data, leading to decision paralysis? Then read this blog!

Read more

Webinar: External Tools to Optimize your Power BI Environment

Whether you’re a seasoned Power BI user or a BI manager looking to elevate your team’s capabilities, this session will provide you with the insights and tools necessary to achieve a clean and effective Power BI environment.

Read more
All posts