Software Development

How can I implement Row Level Security RLS in Power BI using dynamic user roles and AD groups?

KI Asked by Kimberly Clark · 22-09-2024
0 upvotes 15,677 views 0 comments
The question

We need to roll out a global dashboard where managers can only see data for their specific territory. I want to avoid creating 50 different roles manually. Is there a way to use the USERPRINCIPALNAME() function effectively alongside an Active Directory group mapping to make the security dynamic and easy to maintain as our team grows or changes?

3 answers

0
SU
Answered on 30-09-2023

Just remember that RLS doesn't encrypt the data; it only filters it. Also, make sure your users are added to the "Viewer" role in the workspace for RLS to actually trigger.

KI 02-10-2023

Good point, Susan. Many people forget that "Contributor" or "Member" roles bypass RLS entirely. Setting them as "Viewers" is the only way to ensure the DAX filters are applied.

0
BA
Answered on 25-09-2024

Dynamic RLS is the way to go for your use case. You should create a mapping table in your data model that links the User's Email (matching their Power BI login) to the Territory ID. In the "Manage Roles" section, you would then write a DAX filter for your security table like [UserEmail] = USERPRINCIPALNAME(). By creating a relationship between this security table and your Fact table, the filters will automatically cascade. This means you only ever need one role in Power BI, and the data visibility is controlled entirely by your mapping table.

0
TH
Answered on 27-09-2024

Do you have the ability to manage the mapping table through an external source like an Excel sheet in SharePoint or a SQL table? This makes it much easier for HR or Department heads to update access without needing a Power BI Developer to touch the PBIX file every time. 

RI 29-09-2024

Thomas, that sounds efficient. If I use a SQL table for the mapping, do I need to set the storage mode to "Import" for the security table to work with RLS, or can I leave it in "DirectQuery" to ensure that any changes in access permissions are reflected immediately in the dashboard?

Share your thoughts

Your email address will not be published. Required fields are marked (*)

Professional Counselling Session

Still have questions?
Schedule a free counselling session

Our experts are ready to help you with any questions about courses, admissions, or career paths. Get personalized guidance from industry professionals.

Request a Call Back

Search Online

We Accept

We Accept

Follow Us

"PMI®", "PMBOK®", "PMP®", "CAPM®" and "PMI-ACP®" are registered marks of the Project Management Institute, Inc. | "CSM", "CST" are Registered Trade Marks of The Scrum Alliance, USA. | COBIT® is a trademark of ISACA® registered in the United States and other countries.

Book Free Session