New Feature: Static Row Level Security (RLS)
The dynamic RLS
Power BI Embedded has supported the Row Level Security (RLS) feature for quite some time now, where you create a role in your Power BI model, implement the necessary security rules and filters, specify the name of the role that should be used to filter permissions and the system uses this role for all users who view the report, leaving all the permissions management in a single place and allowing the use of DAX to handle all the rules.
In this format, the RLS rule, created in Power BI Desktop, will receive the email of the user accessing the report and will be responsible for carrying out the filters using this email, based on the rules created and in this case, it is necessary keep in your model a table with users and permissions according to the RLS rule.
You may need to change the permissions table to allow filters at different levels of hierarchy and use DAX roles to configure users with full access (without RLS).
Dynamic RLS configuration is done on the report's editing screen, as shown on the screen below, where you must inform the name of the role that will be applied to all users who are going to view it.
The static RLS
For companies that need or would like to create several roles and use a role according to the user who is accessing it, without the need to have a table in the model with users and permissions, there is the static RLS, which is simpler to configure, but it performs worse and is more difficult to manage permissions.
This is the format that is used by the Power BI service to define RLS.
To access the static RLS screen, go to the reports page, click on the “Actions” button and click on the “Security” menu item
In this format, you will see the list of roles that exist in this model.
Click on the “Manage” button to view the list of system users and groups and add them to this role, for this model.
Now just save on this screen to confirm the changes and activate RLS in this report.
If your report has an RLS role defined, do not forget to add all users who will access the report in some RLS role, dynamic or static, otherwise that person will see an error message when trying to view the report.
How the RLS flow works in the system
- When viewing the report, the system will check if the logged in user is in one of the static roles, either with direct access or by group. If the user is associated, this role will be sent to render the report.
- If the logged in user is not in any static role, then the system will check if there is any registered dynamic role. If so, it will be used.
- If none of the above scenarios are true, then the system will not send any roles to RLS, and will consider the report to have no RLS rules.
Notes:
- As the behavior is the same as the Power BI service, the most common thing is for a user to be in only 1 role per report. If it is in more than 1 role, the RLS behavior may be a little different than expected (as it already happens in the Power BI service).
- If there is an RLS rule created in the report and the role is not informed by the system, an error message will be generated when trying to view the report, either because the user is not in any static role or because the name of the dynamic role was not specified.