Row Level Security in Power BI – Part 2

In Part 1 of this series, we discussed Row Level Security in Power BI, that it is different from RLS in SQL Server 2016, and then went on to demonstrate two simple scenarios where RLS can be used to filter data in a model based on Role assignment utilizing some DAX filter expressions. We introduced the USERNAME() DAX function and demonstrated its usefulness. In this second article, we’ll be diving a little deeper into RLS.

Row Level Security in Power BI Scenario 3:

Those first two scenarios from Part 1 were not that bad to implement. One line of a DAX expression and you’ve got a simple filter covered. But life seldom ever hands us a scenario that is so cut and dry. For this scenario, we’re going to add some requirements that might get handed down by the business users such as:

  • Ability to grant access to a group of countries, like continents, or regions.
  • Ability to have any one country be in multiple geo-political groups.
  • Ability to grant and revoke access to an entire group of people at once rather than needing to address each person individually
  • Ability to grant access on any one country to any one individual

For this we’re going to again go back to the database and create a few tables to help us. We already have the Country table so no need to do anything there. But we’ll add four more:

  • Users
  • Groups
  • User Group Membership
  • Country Group Membership

The T-SQL code for this can be found in the attachment, and a simple database drawing is shown here:

Row Security 3-1-1

We’ll also add some rows to the respective tables via basic INSERT statements:

For those of you who, like me, are full-blooded SQL nerds, I have included the CREATE TABLE, INSERT INTO, and CREATE VIEW scripts that can be executed in your database.  But we don’t need to import all four additional tables into your model, we simply need the distinct list of Users and the Countries to which each has access. This is represented in the [dbo].[SecurityQuery] view (Script #05). If you look at the view definition, note the DISTINCT key word in the SELECT clause, the optional fields to show the User’s Full Name and the Country Name, the absence of any fields from the [Group] or[ GroupUser] tables, and the WHERE clause at the bottom that filters for only Active records.

First, we’ll need to remove the Continent table from the model, then import the SecurityQuery dataset. Since this is not an exercise in how to import data, I’ll leave it up to you to get that done. And while you’re adding it, you might as well add the [SecurityReference] view as well and we’ll cover its usage at the end of the article.

Once you have the [SecurityQuery] in your model, it needs to be joined to the Country table, on Country code:

Row 3-1-2

 

Hint: If you have sufficient rows in the Security Query dataset, when you set up the relationship between [Country Code] in the Country table and the [Country Code] in the Security Query table, Power BI will recognize that this is a one-to-many relationship with the Country table being at the “one” side.

As before, we will use the Manage Roles button on the Modelling tab to configure the DAX Filter for the Roles. We’ll start with what we learned from before:  a filter on the [UserName] field and making use of the USERNAME() DAX function as before:

Row 3-1-3

But if we were to browse the model now for any one member in our set, we’ll see that he or she is limited in the rows returned by the Security Query, but NOT limited by rows returned in the Country table. Why not? It worked before. It is because the table on which the USERNAME() filter is applied is not at the top of the hierarchy, it’s at the bottom. To make things more complicated, there are two branches from the top of that hierarchy, one branch to sales, through the country table, and one branch directly to the security table. If only there was a way to filter the countries in that table based on those listed in the Security Query table. We need something more.

Enter the CONTAINS() DAX function. The description from MDSN is as follows:

Syntax

CONTAINS(<table>, <columnName>, <value>[, <columnName>, <value>]…)

Return Value

A value of TRUE if each specified value can be found in the corresponding columnName, or are contained, in those columns; otherwise, the function returns FALSE.

If you’re like me, you’ll read that and think, “say WHAT?” Let’s implement it first, then we’ll sort out and explain how the parameters are used. Back under the Manage Roles, add a Filter to the Country table as the following (hint: it doesn’t matter which column you select as you will be replacing it with the entire text below):

CONTAINS (

‘SecurityQuery’,

‘SecurityQuery'[UserName],

USERNAME(),

‘SecurityQuery'[CountryCode],

‘Country'[CountryCode]

)

Note: The line breaks are not required in this, but are added for clarity of reading.

Now here’s the layman’s description of how the DAX statement above works with the five parameters, in order of their appearance:

Go to the ‘SecurityQuery’ table (1st parameter), and in the column ‘SecurityColumn’[UserName] (2nd parameter), look for any rows that match the value returned by the function USERNAME() (3rd parameter).  Then for those rows, take the values in the column ‘SecurityQuery’[CountryCode] (4th), and see if those values exist in the column ‘Country’[CountryCode] (5th). If that [CountryCode] value is found return TRUE for that row, and allow it to be viewed in this context.

There are a couple of things to watch for when implementing this approach. First, you need to have a relationship defined between the Country table and the SecurityQuery table. Second, the <value> parameter (3rd parameter) of the CONTAINS() function can be just that, a single value, not a list or table. But the USERNAME() function fits this bill nicely. Third, you still need the [UserName] = USERNAME() security filter on the Security Query dataset.

If you followed the INSERT scripts included, you will recall that there were only two people involved: Fred and Bob. And you may recall that we granted Fred access to a Group called “Pacific Rim” (which included countries such as Japan, Hong Kong, and the Philippines) but that [GroupMembership] row was NOT flagged with [IsActive] = 0. Fred’s mapped data looks like this:

row 3-1-4

 

Now here’s where the [SecurityRefernce] dataset comes in. After adding it as part of the model, you need to make sure that A) it has NO relationships to any other tables and that B) it also has a [UserName] = USERNAME() DAX Filter expression applied.

I added a report page to my Power BI model and a simple Matrix visualization based on this table and configured it as follows:

  • Rows = [Country Name]
  • Columns = [GroupName]
  • Values = [IsActive], with a SUM aggregation
  • For the [IsActive], I set up Conditional Formatting with the following properties

row 3-1-5

The resulting visualization is a nice way to see exactly HOW a person has gotten access to any one particular country (via membership in which Group), and what countries are in any Group they have are also a member of, even if that membership is not active.

Row 3-1-6

 

It is true that there is a lot introduced here that may not specifically be “Row Level Security” stuff, but rather T-SQL overhead. After all, all you really need for this 3rd scenario to work is the distinct list of Users and Countries that are allowed access. But given the 173 countries in the world and say, two dozen people to which access control is required, that’s potentially up to 4,000 rows of data controlling who has access to what. Breaking it into Users and Groups and Memberships is a way to manage the mess.

About Todd: Todd Chittenden started his programming and reporting career with industrial maintenance applications in the late 1990’s. When SQL Server 2005 was introduced, he quickly became certified in Microsoft’s latest RDBMS technology and has added certifications over the years. He currently holds an MCSE in Business Intelligence . He has applied his knowledge of relational databases, data warehouses, business intelligence and analytics to a variety of projects for BlumShapiro since 2011. 

Power BI Demo CTA

 

Row Level Security in Power BI – Part 1

The folks at Microsoft have been steadily adding features to both the Power BI service and the downloadable Power BI Desktop over the past eighteen months since it went General Availability in July of 2015. Row Level Security is one such feature, allowing the developer to restrict which data is seen by users. Like most other major features, it was introduced into Power BI Service first, then eventually added to the Desktop. However, unlike other features, upon its addition to the Desktop, it, or most of it, was removed from the Service. After all, you really only need it in one place. Having it in both places would just cause confusion and conflicts. However, there are some lingering aspects in the Power BI service that require attention after deploying a model that has Row Level Security defined. In this post, we’ll look at this feature of Power BI, how to get it up and running in the Desktop, what needs to be done on the Service, and some common scenarios for when it might be useful.

But before we get started, you need to be made aware of two points: First is that RLS in Power BI is NOT the same as RLS in SQL Server 2016. Yes, both are great new feature in their respective products, and do pretty much the same thing of restricting user access to certain rows of data. They even share the same acronym, and the results are pretty much the same, but the implementation methods of each are quite different. RLS in SQL Server uses T-SQL functions and other artifacts inside the SQL database, while Power BI uses DAX. Another major difference is that RLS in Power BI can be used regardless of the data source type.

The second major point is that RLS and Power BI Dashboard’s Q&A feature are mutually exclusive. You can have one or the other, but not both. While some readers may not really care about that, others may simply stop reading right here based on that revelation alone. But before you click off the page because of this limitation, take a moment to voice your opinion at the Power BI Feedback site for this particular issue. Even if you don’t care, some day you might and I encourage you to vote on the item. Go ahead, we’ll wait.

Ok, you’re back? Good, let’s get started.

Row Level Security in Power BI Scenario 1

The first scenario we’re going to explore is one where you have hard-coded roles for each particular segment of data. For the demo model for all these scenarios, I generated data that was spread across the globe, and tied the access directly to continents, then later to countries. This makes it very easy to determine at a glance if data is being filtered properly. The Power BI map visualization is the ideal choice for this as your eyes can easily determine which geographic entities are represented by the data. We’ll see the map again later on, but for starters, the unfiltered data maps like this:

Row Level Security 1

 

Before we set the security for this data, I’ll explain a little about this particular model’s data structure: It is made up of three tables as shown here: country, customer, and Salessales. The country table lists all of the countries in the world, and which continent they are on. Also, that table is at the “one” side of a one-to-many relationship to Customer (on [CountryCode]), which is in turn on the “one” side of its relationship to the Sales table.

Row Level Security 21

 

If we can limit the countries to only those in, say, North America, that would limit the customers to those that are located there, and that would limit the sales, in a cascading filter sort of way. We end up seeing only sales to Customers that are in North America. It would be like adding a WHERE predicate to a SQL query which filters as follows:

SELECT * FROM dbo.Country WHERE Continent = ‘North America’

Let’s get started.

  • On the Modelling tab, click Manage Roles.
  • Click Create to add a new Role, and name it “North America”.
  • Under Tables, click the ellipsis next to Country and select Add Filter, then select the [Continent] field
  • Edit the Table Filter DAX Expression it generates, substituting “Value” for “North America”

row 3

 

To test out this Role, back on the Modelling tab, click View As Roles. Select the North America role. My resulting map looks like this: Row 4

 

Notice the yellow band at the top of the report page that not only shows the security context under which the data is being viewed, but also offers a link to go back to unfiltered data.

We’ve successfully created a Security Role for North America. With only six distinct continents in the Country table, it is a simple operation to add additional roles for the remaining five, each appropriately named.

After deploying the model to the Power BI service, we have some additional work. Locate the data set for the model, click the ellipsis next to it and select security. This is where you would specify who has membership in which role. And obviously, membership in any one role gives you access to see the data associated with that particular continent. There is nothing stopping you from adding any one name to multiple roles. As you can see from the screenshot below, I have already added someone to the North America role.

row 5

 

Get used to this operation as it will be referenced in each of the other two scenarios, but not directly explained again as the operation is exactly the same. Only the name of the Role(s) will change.

This Row Level Security approach is useful if you have a relatively small number of distinct values at the top of a hierarchy (Continent / Country / Sales in this case), and that list is not likely to change. Changes in that list of values would dictate corresponding changes to the Roles, and re-deployments of the Power BI model. But I think we’re safe with our six continents on this earth for at least another googol years or so.

Row Level Security in Power BI Scenario 2

In this scenario, we’re going to take the security role assignments out of the Power BI Service and hold them at the database layer. We’ll use the same model from the previous scenario, minus the six roles we defined before. This model includes one additional table, Continent as shown below: row 6

And as you can imagine, this table now moves the top of our de-facto hierarchy, with a one-to-many relationship between it and the Country table, on field [Continent]:

row 7

To set security in the model we will do the same thing using the Manage Roles dialog box. If you are continuing on from Scenario 1 and have added the Continent table, you can delete the six Roles you added before as they are not needed here. But this time the single role of “Users” will filter on the Continent table, with the DAX expression of: [UserName] = USERNAME()

Row 8

 

The DAX USERNAME() function returns the login name and domain of the logged in user in the format of <name>@<domain>. This returned value ties nicely with the [UserName] column of the Continent table.

To test out this method of securing the data, we will again go to the View As Roles button on the Modelling tab, but this time we’ll check off both the Role of “Users”, and also fill in the “Other user” option by supplying a user name. If you recall the Continent table above, Eustice is assigned to Europe, so she only sees data for Europe. Notice below also how the Continent slicer gets filtered to just one value, and the Country slicer below it gets filtered as well to only Countries to which Eustice has access — those in Europe.

Row 9

After deploying the model, we still need to add email addresses to our User role just like before, but this time we have one role to worry about, and so all six names can be added under that one Role. Control over who gets to see what continent is defined in the rows of the Continent table back in the database. By changing or removing a name and refreshing the data to Power BI, we will alter data access rights without the need to redeploy the model or make adjustments to the Dataset’s Security settings on the site.

This scenario is handy when you again have a clearly defined top-down hierarchy, and when the users’ access is mutually exclusive. One and only one person can have access to each continent. I foresee this being implemented in a model where a salesperson table is at the head of the hierarchy and by filtering the salesperson, the customers and their respective sales get filtered as well. One certainly would not want to be creating a role for each salesperson, re-deploying the model, and then assigning each salesperson to their respective role as we did in Scenario 1. Instead, this approach handles the security assignment dynamically with the USERNAME() function.

Stay tuned for Part 2 where we will look at a third scenario which is a bit more involved, with multiple users, multiple groups, multiple group memberships, and multiple geo-political regions.

About Todd: Todd Chittenden started his programming and reporting career with industrial maintenance applications in the late 1990’s. When SQL Server 2005 was introduced, he quickly became certified in Microsoft’s latest RDBMS technology and has added certifications over the years. He currently holds an MCSE in Business Intelligence . He has applied his knowledge of relational databases, data warehouses, business intelligence and analytics to a variety of projects for BlumShapiro since 2011. 

Power BI Demo CTA

4 Cost Saving DevOps Tools on Azure

Technology leaders need to pay attention to DevOps. Yes, it’s a funny little name. Wikipedia states that DevOps is a compound of “development” and “operations” before explaining it as “a culture, movement or practice that emphasizes the collaboration and communication of both software developers and other information-technology (IT) professionals while automating the process of software delivery and infrastructure changes.”

Technology professionals know that identifying, tracking and resolving bugs costs money. If you are the one writing the software (and sooner or later, everyone will), the bugs are on your dime. Good testing practices can help minimize bugs and costs. However, sometimes bugs result from deployment practices. Indeed, the best technology operations focus on standardized, automated testing and release management practices. By DevOps best practices, software teams treat software deliverables the way a manufacturing company treats finished goods – ruthlessly eliminating deviations with automation.

If you have tried and failed to create innovative solutions within your company by writing software, there could be several reasons why that happened. If you think you got the requirements right, and think the architecture was right, and your software developers understand the technology, then examine the process of delivering the software to the users.

Delivering Software Cost Effectively

The concept behind DevOps has been known as Continuous Integration (CI), Application Lifecycle Management (ALM) and by other names. Often, IT departments found ALM complex, or did not have the knowledge required to design a pipeline for software development. But, the tools have continued to evolve, and the processes have simplified. Today, Cloud vendors deliver DevOps services to technology professionals which are very hard to dismiss. Among the very best is Microsoft’s Azure platform. Microsoft Azure provides many tools for standardizing, testing and delivering high quality software.

Here are my four favorites:

Azure Resource Management (ARM) templates

Azure Resource Management templates are JSON documents which can be used to describe a complete set of Azure services. These documents can be saved and managed by IT operations personnel. This highlights a key cloud computing value proposition: the cloud offers technology as a “standard service” and each service can be encapsulated to be brought up and down as needed.

ARM templates can describe Infrastructure-as-a-Service offerings (i.e. Virtual Machines, Networks and Storage). This enables Dev / Test Labs to be designed, templated, deployed and undeployed as needed. Technology teams which must plan for an upgrade by providing a test environment no longer need to buy infrastructure to support a virtual environment. Instead, they can define the environment as an ARM. Azure allows you to build the environment once, extract the ARM template for later use, and then destroy the resources.

ARM templates can describe Platform-as-a-Service offerings (i.e. Websites, Services, Databases). This enables the exact same concept, with even better results. In the end, you don’t even have any servers to manage or patch: the underlying infrastructure is standardized. This brings me to Deployment Slots.

Deployment Slots

A common best practice in delivering software is to have at least one Quality Assurance (QA) environment. This shadow environment should replicate production as closely as possible. However. in the PaaS world, we don’t have control of the underlying infrastructure – that’s great, it’s standardized and we want to keep it that way. But we don’t want to abandon the practice of performing final testing before deploying to production.

With deployment slots, we get the ability to create a number of “environments” for our applications and services, then switch them back and forth as needed. Let’s say you have a new software release which you want to ensure passes some tests before releasing to the user community. Simply create a slot called “Staging” for deployment, perform your tests, then switch to production.

azure deployment

Uh oh – we missed something. We’re human after all. Users are reporting bugs and they liked it better the way we had it. Switch it back – no harm no foul.

Deployment Azure 2

There are some important things to consider before adding Deployment Slots to your DevOps pipeline. For example, if your application relies upon a database of some kind, you may need to provision staging copy for your tests. You also need to be aware that Connection Strings are one of the configuration values which can switch with the slot, unless configured to do otherwise.

Deploy to Azure

I was recently treated to some excellent material on the Cortana Analytics Suite of products. Paying close attention (as I sometimes do), I noticed that the lab environment was prepared for me as an ARM template. I was directed to GitHub (an online public software repository) and told to push the button marked “Deploy to Azure”. When I did, I was brought to http://deploy.azure.com – and the URL included a reference to the GitHub location, or repository, which I had just visited. The author of the software had placed an ARM template describing the entire lab environment, and included a few parameters so that I could fill in the information from my Azure subscription. 20 minutes later, I had Machine Learning, Hadoop/Spark, Data Factory and Power BI resources at my fingertips. Later in the day, we did deployed again, this time deploying a simple Web app which consumed Advanced Analytics services. When I was finished, I simply deleted the resources – the entire day cost me less than $20 of Azure consumption costs. Deploying an app has never been easier.

Azure Container Services

No discussion of DevOps would be complete without mentioning Docker. Docker is a platform gaining popularity among developers and IT operations for its consistency with Virtual Machines and lower overhead. Essentially, Docker runs as a subsystem which hosts containers. A container is similar in functionality to ARM.

Azure Container Services 1

Azure Container Services 2

 

 

 

 

 

 

 

DevOps Tools on Azure

Linux or Windows, Open Source or Closed, Infrastructure or Platform, TFS or GitHub. None of that matters anymore. No more excuses – Microsoft Azure provides outstanding DevOps tooling for Modern Application Development. If you have not deployed your first application to Azure, let’s talk. We can get you optimized quickly

Berry_Brian-240About Brian: Brian Berry leads the Microsoft Business Intelligence and Data Analytics practice at BlumShapiro. He has over 15 years of experience with information technology (IT), software design and consulting. Brian specializes in identifying business intelligence (BI) and data management solutions for upper mid-market manufacturing, distribution and retail firms in New England. He focuses on technologies which drive value in analytics: data integration, self-service BI, cloud computing and predictive analytics

Technology Talks Newsletter CTA

 

SharePoint Mobile App Review, Tips and Tricks

Today I’d like to discuss the new SharePoint Mobile App, aka the Intranet in your pocket. In 2016, Microsoft released SharePoint 2016, along with a mobile application for the product. If you have not already downloaded the app, I highly suggest you download it, and follow along with the tips provided below. This post will serve as an introduction to the SharePoint Mobile app, highlight some of its capabilities and provide tips to make sure you take advantage of the features offered. So, let’s get started.

SharePoint Sites Feature

Sites 1It is important to understand that SharePoint is hierarchical and the sites screen illustrates this concept. This concept was not illustrated well in the current mobile web view of SharePoint, so the progress made with the app has not gone unnoticed. The mobile app provides a clean and simple sites screen, and by default settings, sites are ordered by your most recent activity. The sites screen menu provides access to view lists, libraries and sub-sites. Along with seeing the sites that you use, you also have the ability to share sites with others, or mark one as a favorite. This screen brings the best of SharePoint right to your fingertips and is a perfect start.

Embedded Browser View

A view of a site in an embedded browser view.

While navigating between sites the app will display each site differently. Some sites will load via an embedded browser in the app whereas others will have a native app screen. The embedded browser view is SharePoint’s mobile web view, and while it is not as clean or user-friendly as a native screen, it still provides the ability to see the site’s content. In the past, the mobile web view would open every site on a separate browser page causing confusion and a poor user experience, so having the embedded browser view for sites as part of the mobile app navigation is a major improvement.

Quick Tip

If you regularly use a site, I highly recommend pressing the “star” button on the site screen. This will add the site to the “Following” tab for quicker access. Remember to remove sites which you no longer have an interest in, by un-clicking on the “star” button.

SharePoint Links Feature

LinksMicrosoft knows that SharePoint is a great tool for collaboration, sharing and empowering users. The links screen provides you with easy access to both internal and external resources.  If your company has a “Quick Links” section on their intranet, then those links should also display on the SharePoint App.  If you don’t see any links displayed, contact your administrator and request that they update the “Featured Links” section in Office 365.

 

SharePoint People Feature

PeopleThe people screen provides you with direct access to your contact list and their profile pages. Creating and managing your contacts is key to getting the most out of SharePoint. If you have never used the Microsoft contacts capabilities, now is a great time to give it a try. To add new contacts you just need to navigate to Office 365, select the people link from the quick launch and start adding contacts.

I highly suggest you start by creating contacts for leaders within your organization. If you need help finding these individuals, the search feature will serve as a big help. To view an individual’s page, click on their name in the people screen. This will open a page that clearly displays their contact information, title, a photo, who they work with and recent activity.

Quick Tip

One of the most important features of people is the ability for you to add notes about your contact. For example, you can create a note that contains information about when you met a certain individual. This information can only be seen from your end and is one of the “hidden” features available in Microsoft People.

SharePoint Search Feature

In my opinion, the greatest feature in the new SharePoint mobile app is search. Using the search feature in the app is the easiest way to find the information you are looking for. The app allows you to drill down and search based on specific dimensions including sites, files, people or recommended It is clear to me that Microsoft’s investment in SharePoint search is paying off. Give it a try—go ahead and search for a file either by name or the content of the file.

See what else SharePoint can do, when it comes to workflows and automation of business processes.

Conclusion

Microsoft’s release of this SharePoint app shows their commitment to both the mobile space and SharePoint. Here at BlumShapiro Consulting, we are Gold Certified in Collaboration and Content. We are Partners in Office and Collaboration and are ready to help your business leverage these Microsoft tools. Learn more about SharePoint by looking at our library of posts on the topic here. Contact us to learn more about how SharePoint can help your organization.

Learn more about SharePoint from our library of blog content >>

 

About Hector: 

hectorHector Luciano, Jr., is a Consulting Manager at BlumShapiro, a Microsoft Gold Partner focusing on SharePoint, Office 365, mobile technologies and custom development solutions. Hector is focused on delivering high value solutions to his customers in Mobile and SharePoint.