Categories: Power BI

Dynamic Security in Power BI

UPDATE: the feature has changed since its introduction. For more information, see the update at the bottom of the post.

In case you haven’t noticed, Power BI added a new feature in preview mode: row level security (RLS). This blog post describes how you  can use this feature to implement dynamic security. In other words, the data being displayed depends on the user that’s viewing it. I will not talk about live connections to Analysis Services, there are plenty of resources on how to implement dynamic dimension security in SSAS (for example the excellent Expert Cube Development).

Let’s start with a very basic data set:

I included the email address of the user, as well as a (fictional) domain login. I loaded the data into a Power BI Desktop model. For testing purposes, I tried to add a calculated column that would show my username, just to see if it would display an email address or a domain login. Alas, this is not possible.

So I needed to create a measure instead. This measure just counts the number of rows where the email address matches the USERNAME() function. I created a similar measure for the domain login.

When I threw everything on a canvas, I got the following result:

Apparently, in PBI the domain is used, not the email. Good to know if row level security is implemented in PBI someday (note: currently it’s only available in the Power BI Service).

OK, now let’s upload this report to the Power BI Service so we can implement the RLS. When the report is opened, it seems  that my carefully crafted measures are ignored. Maybe Power BI ignores the USERNAME() function as long as there is no RLS defined.

Now, let’s add the RLS by clicking on the three dots at the data source and choosing Security. As a member, I added the distribution list of the Microsoft Competence Center of my company. This works because we are using Office 365 for mail. Currently it’s not possible to use Active Directory Security Groups, unfortunately.

Then I defined a simple rule that just checks if the email equals the USERNAME() function.

You can test your role by clicking on the three dots and choosing Test data as role.

Now my measures seem to be working fine, as well as the rule.

At the top, you can choose between roles or you can specify a specific user to test the security.

When I choose my own account, I still see all of the data (and the measures go totally crazy. It appears I’m all people at once). This is probably because I’m the owner of the data set and thus some sort of god-like admin. It’s the same in Analysis Services: if you’re an administrator you can always see all of the data, even if roles are denying you access to it.

When I choose another user, you can see that the security is correctly applied.

When someone is chosen that has access (because they are part of the distribution list) but whose email is not in the email column, the table is just empty. When someone is chosen that doesn’t have access, the visual gives an error.

You can only test reports though, dashboards are not listed. This makes it a bit harder to test them, since you’d have to actually log in as that person to see what the results are. I quickly created an easy dashboard with two tiles: one tile is a live tile displaying the entire report, the other a simple card displaying the value for MeasureA.

This is what I see (as owner of the data):

(expertly photoshopped in Paint to make it a bit smaller)

I kindly asked Davy to log in into Power BI and sent me a screenshot of what he saw. The result:

So RLS works on live tiles (as I would expect), but also on regular tiles. Thanks again Davy for the assistance.

That’s it for this blog post. RLS is still in preview, so it’s possible some things can change along the way. Currently there are some limitations (AD groups being one of them) and I hope they are resolved soon.

UPDATE:
Row level security in Power BI is now in general availability. There are some changes however: you have to define the roles and their filters inside Power BI Desktop instead of in the service. Adding members to a role still remains in the service. This separation makes sure that you can republish Power BI Desktop files without losing the defined security.


------------------------------------------------
Do you like this blog post? You can thank me by buying me a beer 🙂
Koen Verbeeck

Koen Verbeeck is a Microsoft Business Intelligence consultant at AE, helping clients to get insight in their data. Koen has a comprehensive knowledge of the SQL Server BI stack, with a particular love for Integration Services. He's also a speaker at various conferences.

View Comments

  • Thanks for sharing Koen, saves me and lot of others a lot of "seeing before believing" time ;-).

  • Hi,
    i am in France and i havent the tree dots and the security option in the menu,
    do you know why,
    not available in all region ? or will have to configure somewhere ?

    Many thanks

    • Hi Jean-Pierre,

      I'm in Belgium, so I would be surprised if it's a region issue.
      So you can define a role, but you cannot test it? What kind of source are you using?

  • Hi @koen Verbeeck,

    i don't want restrict the particular user then how can i do that.

    I mean super user can see all records.

    Regards
    Mallikarjun

    • Hi Mallis,

      you have two options:

      * you can add all possible items you want to secure for that user into the bridge table (the table were you define which user can see which items)
      * or you don't add the super user to the role with dynamic security. Instead, you create another role for super users only which has read permissions on everything.

      Regards,
      Koen

Recent Posts

Free webinar – Tackling the Gaps and Islands Problem with T-SQL Window Functions

I'm hosting a free webinar at MSSQLTips.com at the 19th of December 2024, 6PM UTC.…

6 days ago

dataMinds Connect 2024 – Session Materials

The slides and scripts for my session "Tackling the Gaps & Islands Problem with T-SQL…

4 weeks ago

Connect to Power BI as a Guest User in another Tenant

Sometimes your Microsoft Entra ID account (formerly known as Azure Active Directory) is added as…

2 months ago

How to use a Script Activity in ADF as a Lookup

In Azure Data Factory (ADF, but also Synapse Pipelines and Fabric Pipelines), you have a…

4 months ago

Database Build Error – Incorrect syntax near DISTINCT

I wrote a piece of SQL that had some new T-SQL syntax in it: IS…

4 months ago

Speaking at dataMinds Connect 2024

I'm very excited to announce I've been selected as a speaker for dataMinds Connect 2024,…

5 months ago