Karolis Ausra on 16 Mar 2021 08:58:33
We need a possibility to explicitly deny access to a report (or workspace) for a chosen AD group (or groups).
As a result any user, who is or will become a member of this restricted group, will not have (or will loose if already had) access to the report EVEN IF THE REPORT IS AT THE SAME TIME SHARED WITH THE USER (either directly or through another AD group). So the "Deny access" list should always overrule / override the "Grant access" list.
Business challenge:
There are quite many employees (users) changing departments.
There are departments / AD user groups that are not allowed to see certain reports (it is not a question of RLS, because these user groups should not be able to see the whole report at all!).
Take "John" for an example, who is not a member of the restricted AD Group yet (let's name this group "Restricted AD Group").
A confidential report which should not be seen by any member of the "Restricted AD Group" is shared with John directly (as a person).
Later on John switches departments and becomes a member of the "Restricted AD Group".
After that he is still able to see the confidential report, because there is no possibility to deny access for chosen AD groups on a report (or workspace) level.
As a result John must be removed manually from the report by the report owner. When you have an enterprise with many reports and users this user management (so the question "is any of the users with whom I shared my report possibly already a member of a restricted group?") can become a very time-consuming and messy task for the report owners.
Having the possibility to restrict access to certain AD Groups would fully automate this process of access-removal.