Configuring row-level security group membership

As you saw in Chapter 5, Designing a Data Model, you can use DAX to filter your reports for row-level security. Once you publish your dataset to the Power BI service, you can enforce row-level security by assigning users or groups to the roles you created.

Power BI uses Azure Active Directory (AAD) for security. You can add members or AAD security groups to the roles created in a report. Row-level security can use distribution groups, security groups, or mail-enabled security groups.

Test Tip

Row-level security cannot use Microsoft 365 groups.

It is important to note that row-level security only applies to users that have Viewer access to the workspace. If a user is directly assigned or a member of a group is assigned to a role with more elevated permissions, row-level security will not apply. That means that anyone who has been assigned the Contributor, Member, or Admin role in the workspace will see all the data, unfiltered by row-level security.

Test Tip

Row-level security does not apply to anyone with editing permissions to the workspace.

Assigning a user or group to a role starts with the dataset. Go to the Datasets + dataflows page from the menu, then hover your mouse over the dataset name and open the drop-down menu by clicking on the three vertical dots. Select the Security option from the menu.

Figure 15.6 – Row-level security is configured from the security page

This will open the row-level security page. If your dataset has roles defined, you will see them listed here.

Select the role you want to assign users or groups to and use the search box to find them in AAD. Once you have assigned the required members to the role, click Save.

Figure 15.7 – Adding users or groups to row-level security by searching AAD

Once you have populated all the row-level security roles, you are done.