Markus Hanisch 11/15/2016files.meetup.com/19947392/Power BI Dynamic Row Level Security Ov… ·...
Transcript of Markus Hanisch 11/15/2016files.meetup.com/19947392/Power BI Dynamic Row Level Security Ov… ·...
Markus Hanisch
11/15/2016
Feature
Dynamic Row Level Security in Power BI
• RLS is a Pro feature
• Restrict data access by users
• Filter data on row level
• Define filters within roles and table rules
• Configure RLS on datasets with
− Power BI Desktop
− DirectQuery, for example SQL ServerRow Level security (RLS) is an
Power BI Pro feature, allowing you
to filter data on row level, based
on rules in the dataset
Agenda
Summary
Findings
RLS
Example
Feature
Dynamic Row Level Security in Power BIIntroduction to RLS
Prerequisite:
enable preview feature cross-filtering in
both directions for DirectQuery
After data import in Power BI Desktop
1. Select the Modeling tab
2. Select Manage Roles
3. Select Create
Prerequisite:
Enable preview feature cross-filtering
in both directions for DirectQuery
Agenda
Summary
Findings
RLS
Example
3
1 2
Feature
Dynamic Row Level Security in Power BIIntroduction to RLS
4. Provide role name
5. Select table to apply DAX rule, e.g.
Users[User] = Userprincipalname()
6. Enter DAX expression:
7. Apply and Save
Agenda
Summary
Findings
RLS
Example6
4 5
7
Feature
Dynamic Row Level Security in Power BIExample
• 1st Approach:
Dynamic Row Level Security by means of Username() function and cross-
filtering in both directions enabled in Power BI Desktop and Power BI service
according to Kasper de Jonge blog post: Power BI Desktop Dynamic security
cheat sheet (PBIX file) (09/01/2016)
Agenda
Summary
Findings
RLS
Example
Rule:
Users[Users] = USERPRINCIPALNAME()
Feature
Dynamic Row Level Security in Power BIExample
• 1st Approach:
Agenda
Summary
Findings
RLS
Example
Enabling the preview
feature cross filtering
in both directions for
DirectQuery is
prerequisite for this
approach.
Feature
Dynamic Row Level Security in Power BIExample
• 1st Approach:
Agenda
Summary
Findings
RLS
Example
Furthermore, make sure when
editing the relationship
between your Dim table and
your table you want to be bi-
directionally filtered to enable
the check box Apply security
filter in both directions and set
the cross filter direction to
both.
Feature
Dynamic Row Level Security in Power BIExample
• 2nd Approach:
Dynamic Row Level Security by means of DAX formulas and no relationships
in the data model
according to blog post by jirineoral (10/19/2016)
Agenda
Summary
Findings
RLS
Example
Rule:
NOT(ISBLANK(LOOKUPVALUE('Security'[Group],'Security'[Group],'Group'[Group],'Se
curity'[Users],USERPRINCIPALNAME())))
• no need to bother with table relationships
• No need to change data model
• filtering data, already related in data mode
• referencing unrelated mapping table only
Feature
Dynamic Row Level Security in Power BIExample
• 2nd Approach:
• 1: value to return 2: searched column 3: value to find
'Group'[Group] (match)
BLANK (no match)
Agenda
Summary
Findings
RLS
Example
LOOKUPVALUE
(
'Security'[Group],
'Security'[Group],
'Group'[Group]
)3
2
1
Feature
Dynamic Row Level Security in Power BIExample
• 2nd Approach:
• ISBLANK returns TRUE IF BLANK, ELSE FALSE, i.e.
IF match FALSE
no match TRUE
Agenda
Summary
Findings
RLS
Example
ISBLANK
(
LOOKUPVALUE
(
'Security'[Group],
'Security'[Group],
'Group'[Group]
)
)
3
2
1
Feature
Dynamic Row Level Security in Power BIExample
• 2nd Approach:
• NOT inverts returned result FALSE if BLANK, else TRUE, i.e.
IF match TRUE
no match FALSE
Agenda
Summary
Findings
RLS
Example
NOT
(
ISBLANK
(
LOOKUPVALUE
(
'Security'[Group],
'Security'[Group],
'Group'[Group]
)
)
)
3
2
1
Feature
Dynamic Row Level Security in Power BIExample
• 2nd Approach: • 1: value to return 2: searched column
3: value to find 4: 2nd column to be searched
5: 2nd value to find
• 4 + 5:
to restrict data access to particular user
• IF match
'Group'[Group] = 'Security'[Group]
AND
'Security'[Users] = USERPRINCIPALNAME
THEN
filter data in based on the 'Security'[Group]
assigned to USERPRINCIPALNAME
Agenda
Summary
Findings
RLS
Example
NOT
(
ISBLANK
(
LOOKUPVALUE
(
'Security'[Group],
'Security'[Group],
'Group'[Group],
'Security'[Users],
USERPRINCIPALNAME()
)
)
)
3
2
1
4
5
Feature
Dynamic Row Level Security in Power BIFindings
Some considerable limitations:
• previously roles/rules defined w/in
Power BI service?
need recreate w/in Power BI
Desktop.
• RLS only on PBIX files – created using
Power BI Desktop client
• Only ETL & DirectQuery connections
supported
(Live connections to Analysis Services
handled in on-premises model)
• Q&A & Cortana not supported
• External sharing not supported with
datasets using RLS
Agenda
Summary
Findings
RLS
Example
Feature
Dynamic Row Level Security in Power BISummary
• RLS is a Pro feature only
• Restrict data access by users
• Filter data on row level
• Define filters within roles and table rules
• Some considerable limitations and known
issues
However, great feature worth to follow up.
Agenda
Summary
Findings
RLS
Example
Sources
• Power BI Documentation: Row-level security (RLS) with Power BI, Using Username() in DAX with Row-
Level Security
• Kasper de Jonge Microsoft BI Blog: Dynamic security made easy with SSAS 2016 and Power BI and Power
BI Desktop Dynamic security cheat sheet
• Guy in a cube: Row-Level Security for Cloud models and DirectQuery in Power BI
• Kasper de Jonge, Senior Program Manager, Microsoft Corp.: Bidirectional cross-filtering in SQL Server
Analysis Services 2016 and Power BI Desktop
• Power BI Community Blog: Different approach to Dynamic Row Level Security, Power BI – Dynamic Row
Level Security – Tips to get it working!
Sources