Dec122023
Authorization concepts in Microsoft Power BI, ols, pls

Why is an authorization concept needed in Microsoft Power BI? 

With a good authorization concept in Microsoft Power BI It is possible to specify very precisely which user can see which data. There is the RLS (row-level security), which has been in use for a long time, which regulates security at the row level, and the somewhat more hidden OLS (object-level security), which defines authorization on entire tables or even individual columns. Once these permissions are in place, it is ensured that only the desired data is visible to users. 

 

When does an authorization concept make sense? 

Let's take the company BeRechtigung AG as an example. It consists of a management board (GL) and two regional managers (RL). RL 1 manages the Zurich and Basel region and RL 2 manages Bern, Hinwil and Geneva. 

Goal 1 

  • The management has no restrictions 
  • The two regional managers only have access to their regions

RLS, row-level security, powerbi

 

Solution (RLS) 

In Power BI Desktop three roles are defined. Role RL1 only gives access to the Zurich and Basel regions and role RL2 only gives access to Bern, Hinwil and Geneva. The GL role has no restrictions.

RLS solution authorization concept Power BI

 

In Power BI Services will subsequently can user the Roles assigned. 

 

Row Level Security, Microsoft Power BI, Permissions Concept

 

With frequentm Switching or many users is a dynamic assignment by logged in user more sensible. 

 

Goal 2 

  • Management has no restrictions 
  • The two regional managers are only allowed to see the sales 

ols, power bi

 

Solution (OLS) 

  • In Power BI Desktop, the model can be accessed via the Tabular Editor. The Tabular Editor is located under the “external tools”.  
  • Here you can specify per table or per column which role has which access. 

ols, object-level security, authorization concept in microsoft power bi, tabular editor

 

Further options for restricting access 

Power BI Service offers another interesting option for restricting access. This does not determine which data the user has access to, but rather which data Reports. 

One can per work area  APP be created that defines this restriction. Up to 10 groups can be created within the APP, specifying which reports allowed to see them. 

APP Powerbi

Depending on the situation, there is no need for RLS or OLS and it gives the report creator another tool. 

 

The last thing that is missing now is the possibility of individuals Restrict pages in a report:

Let's assume that the first page of our example company's report shows a comparison of regional management. This is not exciting for the RL because he only ever sees himself. It only becomes interesting for him when there is the opportunity to immerse himself in the respective regions. 

For this reason, the first page is meaningless to him and it would be better if he didn't see this page at all. So there is one Page Level Security (PLS) exactly what it needs. Although Power BI does not (yet?) offer a standard for this, this can also be solved confidently using an auxiliary table and DAX formulas. 

 

Summary Authorization concept in Power BI

APP, Power Bi authorization concept summary, page level security, pls

If you have any questions, we are happy to help you at any time! – Book a non-binding consultation with our Power BI expert Corina Camenzind.

Share post