Add a default role for row level security
I want to be able to assign all users (including new ones) to a default role in RLS. Currently I have to assign each user to the role manually, and update the roles manually when users change.
This limits the ability to use RLS with a larger user base.
Hi, its possible to do this! Just create a role that has full view, and in the service environment security settings add "Everyone" to the role.
Yes! I agree. This feature is very important. Makes it easier for dynamic role management. I have created a dynamic relationship manager role in my Power BI report but it appears I have to manually add the users to the RM role before it allows them access.
Denise Bertsch commented
Agreed. Users should be able to create RLS and then immediately obtain the Reader role on a Dataset when published up to the service. If more than a reader role is needed then and only then would the solution owner would manage that exception. The norm should be the assignment of Reader. This would eliminate the multiple steps it takes and make it easier for all.
Kamil Suski commented
Internal users roles can easily be managed by O365 groups.
role called 'Department' - single member in PowerBI: email@example.com
managing actual users to be members of firstname.lastname@example.org distribution group will propagate to powerBI just fine.
If you are to grant read only access to anyone outside of the company - user is not
part of "@company.com" he/she will not match anything in local groups.
Solution would be to allow wildcards as members of custom role:
lets say custom role named "Everyone" - with one member: * - effectively matching everyone.
With this setup, role named 'None' as visible in PowerBI Desktop will have no members (every user is forced to be member of "Everyone" role - unless matching filter for other roles)
Another option would be to allow DAX filtering on 'None' role (currently not possible).
Samuel Vrbovský commented
Please add this feature. This would help immensely.
Alexander Knight commented
One option could be to use Office 365 Groups to assign all users to the RLS in the service.
George Tylee commented
To mimic a default role with no permissions, I am experimenting with importing two matching sets of data, one with the true (positive/negative) sign and one with the opposite.
In the 'Manage Roles', the specific role has a DAX filter to only include the correct data.
Thus with no role selected in the web service (the default) a zero sum is shown, but if a role is allocated the actual amount is.
sai krishna commented
is the RLS available in new workspace yet?
Jim Budde commented
I am in strong agreement with others on this feature. If someone grants access to a report (there are many at this point) but forgets to add them to a specific role/group, the current default behavior is to grant access to ALL data; a bit backwards logic if you ask me.
Andi K. commented
Agree - if we could have some role defined for those who are not assigned to a role this would be good.
For the time being I'm using a corporate GMS group to add everyone.
Would very much like to see this appear in the near future - with a growing amount of users accessing Power BI, the ability to assign a default role that restricts visible data would be incredibly useful.
James Houck commented
Totally agree - we need the ability to assign a "Default" role to all users. This would add incredible power to RLS so that you are only assigning a different role if needed, rather than for EVERY user.
Eduard van Valkenburg commented
Any updates on this? I need this function very much for a group a couple of hundred people all over the world, changing everyday!
Jay Killeen commented
I just realised Other User allows you to check against a specific users email. Bugger.
Jay Killeen commented
It is interesting that when you click 'View as roles' there is a 'None' and an 'Other user'.
Other user' is defined nowhere and we don't have the ability to set the rules on it... so why have it? Maybe they are preparing for this feature and allow us to set a rule against 'Other User' that is defined to anyone that has accessed but not yet given a role.
Sélim Mihic commented
Agree to that it is a simple but very helpful feature. Having to add user to a RLS is very cumbersome
It would also help when trying to give minimal access by default. If no roles were passed, the default role could block most, if not all, data. This would allow you to create reports that require a role in order to see any data instead of the lack of a role showing all data.
Greig Dendor commented
If the 'Manage Roles' dialog had a 'default' option to set table filters for users who had no role assigned, the problem would be solved from my point of view.
I would very much appreciate this functionality as well. If you have a large userbase that is changing frequently you really need a default role!
Fully agree. This functionality is very much needed to simplify access management.