Skip to main content

Row-Level Security (RLS)

Administrator

Row-Level Security (RLS) allows you to restrict data access for given users at the database row level. DataCentral extends Power BI's native RLS capabilities, making it easier to manage complex security rules across thousands of users and tenants.

When a user views a report in DataCentral, the platform passes their assigned RLS roles to Power BI. Power BI then filters the data before rendering the visual, ensuring the user only sees the data they are authorized to see.

1. Standard RLS (Role Codes)

This is the most common method of implementing RLS. It involves creating static roles in Power BI Desktop and mapping them to users in DataCentral.

Step 1: Define Roles in Power BI

  1. In Power BI Desktop, go to Modeling > Manage roles.
  2. Create a new role (e.g., Region_EMEA).
  3. Add a DAX filter to the appropriate table (e.g., [Region] = "EMEA").
  4. Publish the dataset to the Power BI Service.

Step 2: Create Role Codes in DataCentral

  1. In DataCentral, go to Administration > Roles.
  2. Click Add Role.
  3. Name the role (e.g., "EMEA Sales Data").
  4. Set the Role Type to RLS.
  5. Enter the exact Role Code defined in Power BI (Region_EMEA).
  6. Click Save.

Step 3: Assign the Role

Assign the new "EMEA Sales Data" role to the appropriate users or Organizational Units (OUs). When those users view a report connected to that dataset, DataCentral will pass the Region_EMEA code to Power BI.

2. Dynamic RLS

Dynamic RLS uses the logged-in user's identity to filter data dynamically, rather than relying on static role names. This is often achieved using the UserPrincipalName() function in DAX.

Step 1: Define a Dynamic Role in Power BI

  1. In Power BI Desktop, go to Modeling > Manage roles.
  2. Create a single role (e.g., DynamicRLS).
  3. Add a DAX filter that uses the user's identity. For example, if you have a "Security" table mapping emails to regions: [Region] = CALCULATE(MAX(Security[Region]), Security[Email] = UserPrincipalName())
  4. Publish the dataset.

Step 2: Configure DataCentral

  1. In DataCentral, create an RLS role with the code DynamicRLS.
  2. Assign this role to your users.
  3. When a user logs in (e.g., john@partner.com), DataCentral passes their email address as the UserPrincipalName to Power BI, along with the DynamicRLS role code. Power BI filters the data accordingly.

Note: This works seamlessly for Entra ID users. For User Pass and Mobile ID users, DataCentral passes their unique DataCentral username as the UPN.

3. Smart RLS (DataCentral Exclusive)

Managing hundreds of static roles in Power BI Desktop (e.g., Client_1, Client_2 ... Client_500) is tedious and prone to error. Smart RLS solves this by allowing you to pass multiple DataCentral Role Codes into a single dynamic role in Power BI.

This feature requires that the user is authenticating via a Service Principal (i.e., App Owns Data embedding).

How Smart RLS Works

Instead of passing the Role Code as the name of the Power BI role, DataCentral passes the Role Code as the CustomData parameter in the embed token.

Step 1: Define the Smart Role in Power BI

  1. In Power BI Desktop, create a single role (e.g., SmartRole).
  2. Add a DAX filter that reads the CustomData() function. For example: [ClientID] = CUSTOMDATA()
  3. Publish the dataset.

Step 2: Configure DataCentral

  1. In DataCentral, create RLS roles for each of your clients (e.g., Role Code 1001, 1002, 1003).
  2. Assign these roles to the appropriate users or OUs.
  3. When configuring the Power BI Item in DataCentral (under Administration > Power BI Items), go to the Additional Data tab.
  4. Add the dataset GUID, check Has RLS, and enter SmartRole as the target role name.

When a user assigned the 1001 role views the report, DataCentral tells Power BI: "Apply the SmartRole rule, and pass 1001 as the CustomData." Power BI then filters the [ClientID] column to 1001.

The Advantage: You only manage one role in Power BI Desktop, while managing hundreds of data slices purely within the DataCentral UI.