Jon von der Heyden
MrExcel MVP, Moderator
- Joined
- Apr 6, 2004
- Messages
- 10,907
- Office Version
- 365
- Platform
- Windows
Hi All
I am battling to understand how shared datasets and row-level security (RLS) can be applied to users such that they can self-serve (build own reports, connect in Excel etc.).
If I build a dataset, configure RLS, and publish to a workspace, the RLS will be ignored by users with Contributor rights. I desire contributor rights for my users so that they can build their own reports - but at the same time I have security constraints.
When I publish from PBI desktop, I get two objects in the published-to workspace, namely the Dataset and the Report. If I want to make sure that RLS is applied, then at most I can grant users Viewer access to the published-to workspace. Now obviously my users cannot build their own reports.
Next I can export the Report (PBIX) and give it to a user to upload to their workspace (My Workspace). Once embedded in their My Workspace, it appears that the RLS will take effect and the user can use that PBIX to construct their own reports (i.e. it effectively becomes a blank template).
What I want to know is how the security actually works. What I desire is to expose the dataset such that users can point to it from My Workspace, build their own reports, yet still be restricted to the RLS. I sense my workaround is unnecessary, yet I can't seem to find the config that gives me this ability.
Any suggestions?
I am battling to understand how shared datasets and row-level security (RLS) can be applied to users such that they can self-serve (build own reports, connect in Excel etc.).
If I build a dataset, configure RLS, and publish to a workspace, the RLS will be ignored by users with Contributor rights. I desire contributor rights for my users so that they can build their own reports - but at the same time I have security constraints.
When I publish from PBI desktop, I get two objects in the published-to workspace, namely the Dataset and the Report. If I want to make sure that RLS is applied, then at most I can grant users Viewer access to the published-to workspace. Now obviously my users cannot build their own reports.
Next I can export the Report (PBIX) and give it to a user to upload to their workspace (My Workspace). Once embedded in their My Workspace, it appears that the RLS will take effect and the user can use that PBIX to construct their own reports (i.e. it effectively becomes a blank template).
What I want to know is how the security actually works. What I desire is to expose the dataset such that users can point to it from My Workspace, build their own reports, yet still be restricted to the RLS. I sense my workaround is unnecessary, yet I can't seem to find the config that gives me this ability.
Any suggestions?