Best Row Level Security (RLS) Implementation For Your Analytics
Row Level Security is an important part of an organization‘s security policy. You need to ensure that each user has proper data visibility by adopting the RLS. Without RLS, report consumers may get access to data they should not, such as finance or sales data, resulting data vulnerability.
Row level security enables to restrict the slices of data to different users based on permissions provided to the database table. The access control is applied at the data level and not at the report level. It allows more advanced security which can handle restrictions without relying on the application permissions.
Note: In the Power BI service, members of a workspace have access to datasets in the workspace. RLS doesn’t restrict this data access.
Importance of Row Level Security
- No multiple versions of the report needed:
While sharing the data to users having different roles, organizations need to create separate reports based on the user roles and share with them. It requires an additional efforts and costs. There is no need of different report versions for different users when RLS is implemented.
- Right slice of data visibility:
‘Who sees what’ is very important while large amount of data is being generated by the organization. Example: If there are 4 regional sales heads (East, West, North, South) having 20 people reporting each. The North Sales head should have the access only for the 20 sales executives reporting to him/her. The data for South, West and East should not be accessible to him because he/she is only responsible for the North region performance. Same should apply for East, West and South.
- Centralized Data Management:
RLS implementation happened at the data model level which makes all the implementations and rules maintained at the central location.
Types of Row Level Security in Power BI:
A. Static Row Level Security:
- Static RLS defines the logic of security inside of the Power BI file (PBIX). For every change in the login, developer must open the PBIX file to apply the changes and save the file and publish it again.
- Static RLS is implemented using Power BI desktop and resides within Power BI file.
- Power BI developer requires a basic knowledge about the RLS to set up and implement.
- Static RLS needs a high maintenance as, for every change in the user role or user type, RLS needs to be updated and Power BI needs to be republished on the Power BI service
- In the static RLS, Data visibility needs to be limited for a specific group of users that need access to the same level of information.
- Security complexity is less as report has a high level and straightforward security logic
- It is best suitable for Power BI reports with small number of users and frequency of change of user permissions is less.
B. Dynamic Row Level Security
- Dynamic Row Level Security defines the logic of security inside the data model. To make changes in the logic, developer just needs to modify the records in the tables, thereby making it data driven.
- Dynamic RLS is implemented using Power BI Desktop and resides within Power BI File along with Role Based Configuration Tables and relationships in the data model.
- Developer needs a considerable experience in data modeling and business domain to set up the Dynamic RLS correctly.
- Dynamic RLS requires a low maintenance if the set up is at its best possible way. It requires less changes in the implementations as configuration tables can take care of the major changes.
- Data visibility needs to be limited for a specific group of users that need access at different levels of information.
- Dynamic RLS is best suited when there are large number of users having different security roles and frequency of change of user permissions is high.
- Dynamic Row Level Security implements a complicated and complex security logic (for example, when the security logic is defined by job function, department, locality, or combination).
Power BI Row Level Security Use Cases
- Location-based: When the organization wants a user to only view information within a specific area or location (City/State/Country).
- Employee-based: When the organization wants an employee to only view information pertaining to his job responsibility. For example, a Store Manager should only view information related to the store’s business.
- Business Line-based: When the organization wants a user to only view information within a specific business line (Product/Service/Unit).
- Other: Apart from the above-mentioned use cases, RLS can also be implemented with respect to Time (Month/Year), Customer (Specific Customer/Group of Customers), etc.
Joining the Dots:
Our team has expertise in RLS implementation & Data Governance practices. They found it complex to implement for citizen developers.
Intellify has developed an Embedded Analytics Solution for organizations which has capabilities to implement the Row Level Security in just few clicks. The citizen developer just has to mention the dimension(s) from the data model for which data access to be given and save the report configurations. And it’s done!
To schedule a live demo of the solution write us on firstname.lastname@example.org