Row Level Security Setup Guide: Difference between revisions
David.weller (talk | contribs) Created blank page |
No edit summary |
||
| (3 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
'''Power BI Row Level Security (RLS) Documentation''' | |||
Sample Report: Global HAE Booking Summary Dashboard | |||
Purpose: Control user access to report data based on database permissions. | |||
Prepared by: PBI Team | |||
'''1. Purpose of This Document''' | |||
This guide outlines the '''Row Level Security (RLS) configuration and management process''' implemented in the Power BI reports. | |||
Sample report used is the Global HAE Booking Summary Dashboard. | |||
The RLS is applied the same way across all the reports. | |||
The goal of RLS is to ensure that: | |||
· Users only see '''data relevant to their authorized databases'''. | |||
· Certain administrators have '''unrestricted access to all data'''. | |||
· Access is controlled securely and consistently across the company. | |||
'''2. Overview of the RLS Design''' | |||
The RLS model uses the user email identification to determine which data a user is allowed to see. | |||
PowerBI identifies the logged in user using: | |||
''USERNAME()'' | |||
The function returns the email address of the user who is currently accessing the report. | |||
The system then applies DAX logic to determine the data that the user can view. | |||
'''3. Access Categories''' | |||
Users are divided into two access levels | |||
Restricted Access Users | |||
Unrestricted Access Users | |||
'''3.1 Restricted Access Users''' | |||
These are the users who can access specific databases/sites/carriers. | |||
Example: | |||
{| class="wikitable" | |||
|Email | |||
|Access Level | |||
|Role Name | |||
|- | |||
|neil.cross@groupair.aero | |||
|Restricted | |||
|GLOBAL(HAE)_NEIL | |||
|- | |||
|andy.smith@haegroup.com | |||
|Restricted | |||
|GLOBAL(HAE)_ANDY | |||
|- | |||
|blake.attley@haegroup.com | |||
|Restricted | |||
|GLOBAL(HAE)_BLAKE | |||
|- | |||
|charlie.storcks@haegroup.com | |||
|Restricted | |||
|GLOBAL(HAE)_CHARLIE | |||
|- | |||
|alyne.fukuda@haegroup.com | |||
|Restricted | |||
|GLOBAL(HAE)_ALYNE | |||
|- | |||
|cecilia.ngure@datacair.com | |||
|Restricted | |||
|GLOBAL(HAE)_NGURE | |||
|} | |||
'''3.2 Unrestricted Access Users''' | |||
These are the users who have full access to all databases/sites/carriers. | |||
Example: | |||
{| class="wikitable" | |||
|Email | |||
|Access | |||
|Role Name | |||
|- | |||
|ian.hutchinson@haegroup.com | |||
|Unrestricted | |||
|GLOBAL(HAE)_ALL | |||
|- | |||
|steve.dickinson@haegroup.com | |||
|Unrestricted | |||
|GLOBAL(HAE)_ALL | |||
|- | |||
|richard.arrowsmith@datacair.com | |||
|Unrestricted | |||
|GLOBAL(HAE)_ALL | |||
|- | |||
|john.ward@haegroup.com | |||
|Unrestricted | |||
|GLOBAL(HAE)_ALL | |||
|- | |||
|brian.virgo@haegroup.com | |||
|Unrestricted | |||
|GLOBAL(HAE)_ALL | |||
|} | |||
'''4. RLS Logic Structure''' | |||
The RLS rules are implemented using '''conditional DAX expressions'''. | |||
Example structure: | |||
'''''IF(''''' | |||
''''' USERNAME() = "specific_user@email.com",''''' | |||
''''' <restricted access rule>''''' | |||
''''' IF(''''' | |||
''''' USERNAME() IN {list_of_admin_users},''''' | |||
''''' TRUE(),''''' | |||
''''' FALSE()''''' | |||
''''' )''''' | |||
''''')''''' | |||
'''Explanation:''' | |||
{| class="wikitable" | |||
|USERNAME() | |||
|Identifies the current user | |||
|- | |||
|Restricted Rule | |||
|Defines database access | |||
|- | |||
|Admin List | |||
|Allows full access | |||
|- | |||
|TRUE() | |||
|Access granted | |||
|- | |||
|FALSE() | |||
|Access denied | |||
|} | |||
'''5. Example RLS Implementation''' | |||
Example for '''Cecilia Ngure'''. | |||
She has access to: | |||
· HAE database with specific site access- ‘NBO’ and ‘HFZCO/Dubai’ | |||
· AIRCROSS database with all associated sites access. | |||
· GROUPAIR database with all associated sites access. | |||
'''''IF(''''' | |||
''''' USERNAME() = "cecilia.ngure@datacair.com",''''' | |||
''''' (''''' | |||
''''' ([Database] = "HAE" && [Sites] IN { "NBO", "HFZCO/Dubai" }) ||''''' | |||
''''' ([Database] = "AIRCROSS") ||''''' | |||
''''' ([Database] = "GROUPAIR")''''' | |||
''''' ), // Cecilia's specific access''''' | |||
''''' IF(''''' | |||
''''' USERNAME() IN {''''' | |||
''''' "ian.hutchinson@haegroup.com",''''' | |||
''''' "steve.dickinson@haegroup.com",''''' | |||
''''' "richard.arrowsmith@datacair.com",''''' | |||
''''' "john.ward@haegroup.com",''''' | |||
''''' "brian.virgo@haegroup.com"''''' | |||
''''' ''''' | |||
''''' },''''' | |||
''''' TRUE(), // Unrestricted access for listed users''''' | |||
'''''FALSE() // Default condition: restricted access''''' | |||
''''' )''''' | |||
''''')''''' | |||
'''6. RLS Implementation Process''' | |||
'' '''Step 1 — Define Access Requirements''''' | |||
Before configuring RLS, determine: | |||
· Which '''database(s)''' the user should access. | |||
· Whether the user needs '''restricted or unrestricted access'''. | |||
'' '''Step 2 — Create or Modify RLS in Power BI Desktop''''' | |||
Open the report in Power BI Desktop. | |||
'''Navigate to:''' | |||
Model View | |||
Manage Role | |||
'''''Step 3 — Publish the Dataset''''' | |||
Once RLS is configured: | |||
1. Save the report. | |||
2. Publish the dataset to '''Power BI Service'''. | |||
'''''Step 4 — Assign Users to the Role''''' | |||
In '''Power BI Service''': | |||
Workspace | |||
Dataset | |||
Security | |||
Add the user email to the appropriate '''RLS Role'''. | |||
'''''Step 5 — Test the RLS Configuration''''' | |||
Testing must be done before sharing the report. | |||
'''Testing in Power BI Desktop''' | |||
1. Go to '''Model View''' | |||
2. Select '''View As''' | |||
3. Enter the user email | |||
4. Confirm that the correct data appears | |||
'''Testing in Power BI Service''' | |||
1. Open the dataset | |||
2. Select '''Security''' | |||
3. Click '''Test as Role''' | |||
Verify that the user can only see the intended data. | |||
'''7. Access Management Guidelines''' | |||
To maintain security: | |||
· Grant '''minimum required access''' | |||
· Review user permissions periodically | |||
· Remove access for inactive users | |||
· Document all new access requests | |||
'''8. Maintenance Process''' | |||
RLS should be reviewed when: | |||
· A new user requires access | |||
· A database is added | |||
· An employee leaves the organization | |||
· Report requirements change | |||
'''9. Change Management''' | |||
All RLS changes must follow this process: | |||
1. Request received | |||
2. Access verified by management | |||
3. RLS updated in Power BI | |||
4. Changes tested | |||
5. Dataset republished | |||
'''10. Responsible Personnel.''' | |||
{| class="wikitable" | |||
|'''RLS Development''' | |||
|'''BI Developers''' | |||
|- | |||
|'''Access Approval''' | |||
|'''Management''' | |||
|- | |||
|'''Dataset Maintenance''' | |||
|'''BI Developers''' | |||
|} | |||
Latest revision as of 13:17, 8 April 2026
Power BI Row Level Security (RLS) Documentation
Sample Report: Global HAE Booking Summary Dashboard
Purpose: Control user access to report data based on database permissions.
Prepared by: PBI Team
1. Purpose of This Document
This guide outlines the Row Level Security (RLS) configuration and management process implemented in the Power BI reports.
Sample report used is the Global HAE Booking Summary Dashboard.
The RLS is applied the same way across all the reports.
The goal of RLS is to ensure that:
· Users only see data relevant to their authorized databases.
· Certain administrators have unrestricted access to all data.
· Access is controlled securely and consistently across the company.
2. Overview of the RLS Design
The RLS model uses the user email identification to determine which data a user is allowed to see.
PowerBI identifies the logged in user using:
USERNAME()
The function returns the email address of the user who is currently accessing the report.
The system then applies DAX logic to determine the data that the user can view.
3. Access Categories
Users are divided into two access levels
Restricted Access Users
Unrestricted Access Users
3.1 Restricted Access Users
These are the users who can access specific databases/sites/carriers.
Example:
| Access Level | Role Name | |
| neil.cross@groupair.aero | Restricted | GLOBAL(HAE)_NEIL |
| andy.smith@haegroup.com | Restricted | GLOBAL(HAE)_ANDY |
| blake.attley@haegroup.com | Restricted | GLOBAL(HAE)_BLAKE |
| charlie.storcks@haegroup.com | Restricted | GLOBAL(HAE)_CHARLIE |
| alyne.fukuda@haegroup.com | Restricted | GLOBAL(HAE)_ALYNE |
| cecilia.ngure@datacair.com | Restricted | GLOBAL(HAE)_NGURE |
3.2 Unrestricted Access Users
These are the users who have full access to all databases/sites/carriers.
Example:
| Access | Role Name | |
| ian.hutchinson@haegroup.com | Unrestricted | GLOBAL(HAE)_ALL |
| steve.dickinson@haegroup.com | Unrestricted | GLOBAL(HAE)_ALL |
| richard.arrowsmith@datacair.com | Unrestricted | GLOBAL(HAE)_ALL |
| john.ward@haegroup.com | Unrestricted | GLOBAL(HAE)_ALL |
| brian.virgo@haegroup.com | Unrestricted | GLOBAL(HAE)_ALL |
4. RLS Logic Structure
The RLS rules are implemented using conditional DAX expressions.
Example structure:
IF(
USERNAME() = "specific_user@email.com",
<restricted access rule>
IF(
USERNAME() IN {list_of_admin_users},
TRUE(),
FALSE()
)
)
Explanation:
| USERNAME() | Identifies the current user |
| Restricted Rule | Defines database access |
| Admin List | Allows full access |
| TRUE() | Access granted |
| FALSE() | Access denied |
5. Example RLS Implementation
Example for Cecilia Ngure.
She has access to:
· HAE database with specific site access- ‘NBO’ and ‘HFZCO/Dubai’
· AIRCROSS database with all associated sites access.
· GROUPAIR database with all associated sites access.
IF(
USERNAME() = "cecilia.ngure@datacair.com",
(
([Database] = "HAE" && [Sites] IN { "NBO", "HFZCO/Dubai" }) ||
([Database] = "AIRCROSS") ||
([Database] = "GROUPAIR")
), // Cecilia's specific access
IF(
USERNAME() IN {
"ian.hutchinson@haegroup.com",
"steve.dickinson@haegroup.com",
"richard.arrowsmith@datacair.com",
"john.ward@haegroup.com",
"brian.virgo@haegroup.com"
},
TRUE(), // Unrestricted access for listed users
FALSE() // Default condition: restricted access
)
)
6. RLS Implementation Process
Step 1 — Define Access Requirements
Before configuring RLS, determine:
· Which database(s) the user should access.
· Whether the user needs restricted or unrestricted access.
Step 2 — Create or Modify RLS in Power BI Desktop
Open the report in Power BI Desktop.
Navigate to:
Model View
Manage Role
Step 3 — Publish the Dataset
Once RLS is configured:
1. Save the report.
2. Publish the dataset to Power BI Service.
Step 4 — Assign Users to the Role
In Power BI Service:
Workspace
Dataset
Security
Add the user email to the appropriate RLS Role.
Step 5 — Test the RLS Configuration
Testing must be done before sharing the report.
Testing in Power BI Desktop
1. Go to Model View
2. Select View As
3. Enter the user email
4. Confirm that the correct data appears
Testing in Power BI Service
1. Open the dataset
2. Select Security
3. Click Test as Role
Verify that the user can only see the intended data.
7. Access Management Guidelines
To maintain security:
· Grant minimum required access
· Review user permissions periodically
· Remove access for inactive users
· Document all new access requests
8. Maintenance Process
RLS should be reviewed when:
· A new user requires access
· A database is added
· An employee leaves the organization
· Report requirements change
9. Change Management
All RLS changes must follow this process:
1. Request received
2. Access verified by management
3. RLS updated in Power BI
4. Changes tested
5. Dataset republished
10. Responsible Personnel.
| RLS Development | BI Developers |
| Access Approval | Management |
| Dataset Maintenance | BI Developers |