Another aspect of sharing is the security on the data set. Enabling different roles and giving users access to different levels of data is called Row Level Security. This post explains the details of this security method and how to configure it in Power BI Desktop. Row Level Security enables you to apply security to roles and adds users to each role. An example is helpful when you want people from one branch, city, department, or store to be able to only see their part of the data and not the whole data set. Power BI applies that through a row level security configuration on the Power BI model itself. So regardless of what source you are importing your data from, you can apply row level security on it. If you like to learn more about Power BI, read Power BI online book; from Rookie to Rock Star.
What’s Good About Row Level Security in Power BI Desktop?
Row Level security is about applying security on a data row level. For example sales manager of united states, should only see data for the United States and not for Europe. Sales Manager of Europe won’t be able to see sales of Australia or United States. And someone from the board of directors can see everything. The reason was that Row Level Security wasn’t part of Power BI model. Now in the new version of Power BI Desktop, the security configuration is part of the model and will be deployed with the model.
For this example I will use AdventureWorksDW excel sample data source. You can download it from here.
Create Sample Report
Let’s start with creating a sample report in Power BI Desktop from AdventureWorks Excel file. I only select DimSalesTerritory, and FactResellerSales for this example;
without any changes in Power Query editor, let’s load it in the report, and build a simple column chart with Sales Amount (from FactResellerSales), and Country (from DimSalesTerritory).
The chart shows sales amount by countries, which can be used for creating row level security on Geo-location information easily. Now let’s add one card visualization for total Sales Amount. And two slicers (one for Sales Territory Group, and the other one for Sales Territory Region). Below screenshot is the layout of this sample report now;
Our total Reseller sales amount in this view is $80M, and we have sales values for Australia, Canada, France, Germany, UK, and the USA. Now let’s create roles.
Now let’s create roles for that. Our goal here is to build roles for sales manager of USA, and Europe. They should each only see their group or country in the data set. For creating roles go to Modeling tab in Power BI Desktop. You will see a section named Security there;
Click on Manage Roles to create a new role. You will see Manage Roles window which has three panes as below
You can create or delete roles in numbered one pane, You can see tables in your model in numbered two pane (for this example you will see two tables only, but not now, after creating the first role), and then you can write your DAX filtering expression in numbered three pane. Yes, you have to write DAX code to filter data for each role, but this can be very simple DAX expressions.
Now Create a Role, and name it as “USA Sales Manager”, you will see two tables in the Tables section: FactResellerSales, and DimSalesTerritory. With a click on ellipsis button on each table, you can create DAX filters for each column. From DimSalesTerritory create a filter for Country.
Now in the DAX Filter expression, you will see an expression created automatically as [SalesTerritoryCountry] = “Value”, change the value to the United States, and apply.
Now create another role, name it as Europe Sales Manager, put a filter on SelesTerritoryGroup this time, and change Value to “Europe” as below;
Testing Roles in Desktop
Great, we have created our two sample roles. Now let’s test them here. Yes, we can test them in Power BI Desktop with View As Roles menu option. This option allows us to view the report exactly as the user with this role will see. We can even combine multiple roles to see a consolidated view of a person who has multiple roles. Go to Modeling tab, and choose View As Role option.
Choose Europe Sales Manager, and click on OK. You will see sales for Europe only showing with total of $11M, and showing only countries Germany, UK, and France.
You can also see in the top of the report there is an information line highlighted showing that the view is Europe Sales Manager. If you click stop viewing, you will see the report as normal view (total view).
Power BI Service Configuration
Roles should be assigned to Power BI users (or accounts in other words), and this part should be done in Power BI Service. Save and publish the report into Power BI. I named this report as RLS PBI Desktop. You can name it whatever you want. After publishing the report, click on Security for the data set.
Here you can see roles and assign them to Power BI accounts in your organization.
You can set each user to more than one role, and the user then will have a consolidated view of both roles. For example, a user with both roles for the USA and Europe sales manager will see data from All Europe and USA.
Test Roles in Power BI Service
You can also test each role here, just click on ellipsis button beside each role, and click on Test as Role.
Test As Role will show you the report in view mode for that role. As you see the blue bar shows that the report showed the role of Europe Sales Manager. You can change it there if you like.
With setting users for each role, now your role level security is ready to work. If the user login with their account, they will only see data for their roles.
Re Publish Won’t Hurt
As I mentioned in the very first paragraph of this chapter, the great thing about this new feature is that RLS is part of Power BI model. And if you publish your Power BI model again and again with changes, you won’t lose configuration on the web. You also won’t lose users assigned to each role, as long as you keep role names unchanged.
Row Level Security is giving users different views of the data from the same Power BI content. As you have learned in this chapter, implementing row level security is simple. The reason this method is called ROW level security is because of the DAX filter applied on the data row level.
In this chapter you’ve learned about a specific type of row level security called Static row level security. It is called static, because the filter values are statically determined in DAX expressions. If you want to apply such filter for thousands of roles, then maintenance costs is very high. In ideal world, you want to be able to apply security based on the login of users automatically. In next chapter you will learn about Dynamic Row Level Security which is the next step of apply security in more complex scenarios.