Add a default role for row level security
I want to be able to assign all users (including new ones) to a default role in RLS. Currently I have to assign each user to the role manually, and update the roles manually when users change.
This limits the ability to use RLS with a larger user base.
Samuel Vrbovský commented
Please add this feature. This would help immensely.
Alexander Knight commented
One option could be to use Office 365 Groups to assign all users to the RLS in the service.
George Tylee commented
To mimic a default role with no permissions, I am experimenting with importing two matching sets of data, one with the true (positive/negative) sign and one with the opposite.
In the 'Manage Roles', the specific role has a DAX filter to only include the correct data.
Thus with no role selected in the web service (the default) a zero sum is shown, but if a role is allocated the actual amount is.
sai krishna commented
is the RLS available in new workspace yet?
Jim Budde commented
I am in strong agreement with others on this feature. If someone grants access to a report (there are many at this point) but forgets to add them to a specific role/group, the current default behavior is to grant access to ALL data; a bit backwards logic if you ask me.
Andi K. commented
Agree - if we could have some role defined for those who are not assigned to a role this would be good.
For the time being I'm using a corporate GMS group to add everyone.
Would very much like to see this appear in the near future - with a growing amount of users accessing Power BI, the ability to assign a default role that restricts visible data would be incredibly useful.
James Houck commented
Totally agree - we need the ability to assign a "Default" role to all users. This would add incredible power to RLS so that you are only assigning a different role if needed, rather than for EVERY user.
Eduard van Valkenburg commented
Any updates on this? I need this function very much for a group a couple of hundred people all over the world, changing everyday!
I just realised Other User allows you to check against a specific users email. Bugger.
It is interesting that when you click 'View as roles' there is a 'None' and an 'Other user'.
Other user' is defined nowhere and we don't have the ability to set the rules on it... so why have it? Maybe they are preparing for this feature and allow us to set a rule against 'Other User' that is defined to anyone that has accessed but not yet given a role.
Sélim Mihic commented
Agree to that it is a simple but very helpful feature. Having to add user to a RLS is very cumbersome
It would also help when trying to give minimal access by default. If no roles were passed, the default role could block most, if not all, data. This would allow you to create reports that require a role in order to see any data instead of the lack of a role showing all data.
Greig Dendor commented
If the 'Manage Roles' dialog had a 'default' option to set table filters for users who had no role assigned, the problem would be solved from my point of view.
I would very much appreciate this functionality as well. If you have a large userbase that is changing frequently you really need a default role!
Fully agree. This functionality is very much needed to simplify access management.
I agree with this aswell. It should be something like 'User Level Security' where anyone that has not been assigned a role can have their data scoped down by attributes found on the Username() model.
For example 'email@example.com' accesses the report and has no role assigned. Behind the scenes PowerBI finds my Username().
Option 1. Username() inner joins on my User model by matching Username() -> User.email. All other models are inner joined on User therefore all data is then scoped down by the single entity User that has been matched by Username().
Option 2. Username() itself in AD has fields such as Division, Region or even Role etc and rules can be set (similar to existing RLS Table Filter rules) that utilise the value of these fields.
Under Option 2 you might have a rule on the Region table that sets Region.Code = Username().RegionCode.
This way anyone logging in, that has no role assigned could have filters applied based on the User Level Security filters.
I'd then simply be able to set my rules by user and expect my 1000+ members to be scoped down based on those rules and their attributes can be managed centrally in AD.
This is how it is done in web frameworks such as Ruby on Rails (see the Pundit Gem or CanCan)
Eric Dupont commented
Were you able to find a solution for this issue? I have the same problem...
Default role should be assigned through the PBI service. This is especially important once you have implemented dynamic RLS.
RLS is set at both the data level in the Desktop and then at the Dataset level in the service. I am using the "Username()" DAX function in the desktop to set up a role and join this to a pre-built 2 column table of user ids and Branches each user has access to.
The issue is that in the Service, at the dataset, I need to manual add each user. There should be an option to have ALL users applied the RLS.