Power BI 行级别安全性 (RLS)Row-level security (RLS) with Power BI

Power BI 行级别安全性 (RLS) 可用于限制给定用户的数据访问。Row-level security (RLS) with Power BI can be used to restrict data access for given users. 筛选器可限制行级别上的数据。Filters restrict data at the row level. 你可以定义角色中的筛选器。You can define filters within roles.

可以使用 Power BI Desktop 为导入到 Power BI 的数据模型配置 RLS。You can configure RLS for data models imported into Power BI with Power BI Desktop. 你还可以在使用 DirectQuery(如 SQL Server)的数据集上配置 RLS。You can also configure RLS on datasets that are using DirectQuery, such as SQL Server. 在此之前,你只能在 Power BI 外的本地 Analysis Services 模型中实现 RLS。Previously, you were only able to implement RLS within on-premises Analysis Services models outside of Power BI. 对于 Analysis Services 的实时连接,你可以在本地模型上配置行级别安全性。For Analysis Services live connections, you configure Row-level security on the on-premises model. 实时连接数据集不会显示安全选项。The security option will not show up for live connection datasets.

在 Power BI Desktop 中定义角色和规则Define roles and rules within Power BI Desktop

你可以在 Power BI Desktop 中定义角色和规则。You can define roles and rules within Power BI Desktop. 当你发布到 Power BI 时,它还将发布角色定义。When you publish to Power BI, it will also publish the role definitions.

若要定义安全角色,你可以执行以下操作。To define security roles, you can do the following.

  1. 将数据导入 Power BI Desktop 报表,或配置 DirectQuery 连接。Import data into your Power BI Desktop report, or configure a DirectQuery connection.

    备注

    不能在 Power BI Desktop 中为 Analysis Services 实时连接定义角色。You cannot define roles within Power BI Desktop for Analysis Services live connections. 你需要在 Analysis Services 模型中执行此操作。You will need to do that within the Analysis Services model.

  2. 选择“建模”选项卡。Select the Modeling tab.
  3. 选择“管理角色”。Select Manage Roles.

  4. 选择“创建”。Select Create.

  5. 为角色提供名称。Provide a name for the role.
  6. 选择你想要应用 DAX 规则的表。Select the table that you want to apply a DAX rule.
  7. 输入 DAX 表达式。Enter the DAX expressions. 此表达式应返回 true 或 false。This expression should return a true or false. 例如:[实体 ID] =“值”。For example: [Entity ID] = “Value”.

    备注

    可以在此表达式内使用 username()You can use username() within this expression. 请注意,username() 在 Power BI Desktop 中将采用域\用户名的格式。Be aware that username() will have the format of DOMAIN\username within Power BI Desktop. 在 Power BI 服务中,它的格式则为用户的 UPN。Within the Power BI service, it will be in the format of the user's UPN. 或者,可以使用 userprincipalname(),它将始终返回采用其用户主体名称格式的用户。Alternatively, you can use userprincipalname() which will always return the user in the format of their user principal name.

  8. 创建 DAX 表达式后,你可以选择表达式框上方的“检查”以验证该表达式。After you have created the DAX expression, you can select the check above the expression box to validate the expression.

  9. 选择“保存”。Select Save.

你无法在 Power BI Desktop 中将用户分配到角色。You cannot assign users to a role within Power BI Desktop. 此操作在 Power BI 服务中执行。This is done within the Power BI service. 通过使用 username() 或 userprincipalname() DAX 函数并配置好正确的关系,则可以启用 Power BI Desktop 中的动态安全。You can enable dynamic security within Power BI Desktop by making use of the username() or userprincipalname() DAX functions and having the proper relationships configured.

默认情况下,行级别安全性筛选采用单双向筛选器,无需考虑关系是设置为单向还是双向。By default, row-level security filtering uses single-directional filters, regardless of whether the relationships are set to single direction or bi-directional. 通过选择关系并勾选“在两个方向上应用安全筛选器”复选框,可手动启用具有行级别安全性的双向交叉筛选器。You can manually enable bi-directional cross-filter with row-level security by selecting the relationship and checking the Apply security filter in both directions checkbox. 在实现动态行级别安全性时应选中此复选框,以便从中基于用户名或登录 ID 提供行级别安全性You should check this box when implementing dynamic row-level security, wherein you provide row-level security based on user name or login ID.

有关详细信息,请参阅在 Power BI Desktop 中使用 DirectQuery 的双向交叉筛选保护表格 BI 语义模型技术文章。For more information, see Bidirectional cross-filtering using DirectQuery in Power BI Desktop and the Securing the Tabular BI Semantic Model technical article.

应用安全性筛选器

验证 Power BI Desktop 中的角色Validating the role within Power BI Desktop

创建角色后,你可以测试 Power BI Desktop 中的角色结果。After you have created your role, you can test the results of the role within Power BI Desktop. 若要执行此操作,请选择“以角色身份查看”。To do this, select View As Roles.

“以角色身份查看”对话框允许更改正在查看的特定用户或角色的视图。The View as roles dialog allows you to change the view of what you are seeing for that specific user or role. 你将看到创建的角色。You will see the roles you have created.

选择创建的角色,然后选择“确定”,将角色应用于正在查看的视图。You select the role you created and then select OK to apply that role to what you are viewing. 报表将仅呈现与该角色相关的数据。The reports will only render the data relevant for that role.

你还可以选择其他用户,并提供给定用户。You can also select Other user and supply a given user. 最好提供用户主体名称 (UPN),因为 Power BI 服务将使用该名称。It is best to supply the User Principal Name (UPN) as that is what the Power BI service will use. 选择“确定”,报表将呈现基于该用户能看到的内容。Select OK and the reports will render based on what that user can see.

备注

在 Power BI Desktop 中,如果使用的是基于 DAX 表达式的动态安全,报表将仅显示不同的结果。Within Power BI Desktop, this will only display different results if you are using dynamic security based on your DAX expressions.

管理模型上的安全性Manage security on your model

若要管理数据模型上的安全性,你需要执行以下操作。To manage security on your data model, you will want to do the following.

  1. 为数据集选择“省略号(...)”。Select the ellipse (…) for a dataset.
  2. 选择“安全”。Select Security.

这将转到 RLS 页面,使你可以为 Power BI Desktop 中创建的角色添加成员。This will take you to the RLS page for you to add members to a role you created in Power BI Desktop. 只有数据集的所有者才能看到可用的安全性。Only the owners of the dataset will see Security available. 如果数据集在某个组中,则只有该组的管理员才能看到安全选项。If the dataset is in a Group, only Administrators of the group will see the security option.

你只能创建或修改 Power BI Desktop 中的角色。You can only create or modify roles within Power BI Desktop.

使用成员Working with members

添加成员Add members

你可以通过键入邮件地址、用户姓名、你想要添加的安全组或通讯组列表,以向你的角色添加成员。You can add a member to the role by typing in the email address, or name, of the user, security group or distribution list you want to add. 此成员需在你的组织内。This member has to be within your organization. 不能添加在 Power BI 内创建的组。You cannot add Groups created within Power BI.

你还可以通过角色名称或“成员”旁边的括号内的数字看到有多少成员属于该角色。You can also see how many members are part of the role by the number in parenthesis next to the role name, or next to Members.

移除成员Remove members

你可以通过选择成员名称旁的 X 来移除成员。You can remove members by selecting the X next to their name.

验证 Power BI 服务中的角色Validating the role within the Power BI service

你可以通过测试角色来验证你定义的角色是否正常工作。You can validate that the role you defined is working correctly by testing the role.

  1. 选择角色旁的“省略号 (...)”。Select the ellipsis (...) next to the role.
  2. 选择“作为角色测试数据”Select Test data as role

然后你会看到对该角色可用的报表。You will then see reports that are available for this role. 仪表板不在此视图中显示。Dashboards are not presented in this view. 在上面的蓝色栏中,你将看到被应用的内容。In the blue bar above, you will see what is being applied.

可通过选择“立即以此角色查看”来测试其他角色或角色组合。You can test other roles, or combination of roles, by selecting Now viewing as.

可选择以特定人员的身份查看数据,或选择可用角色的组合以验证它们是否工作。You can choose to view data as a specific person, or you can select a combination of available roles to validate they are working.

选择“返回到行级安全性”以返回到正常查看。To return to normal viewing, select Back to Row-Level Security.

使用 username() 或 userprincipalname() DAX 函数Using the username() or userprincipalname() DAX function

可在数据集内利用 DAX 函数 username() 或 userprincipalname()。You can take advantage of the DAX functions username() or userprincipalname() within your dataset. 可在 Power BI Desktop 中的表达式内使用它们。You can use them within expressions in Power BI Desktop. 将在 Power BI 服务内使用你发布的模型。When you publish your model, it will be used within the Power BI service.

在 Power BI Desktop 中,username() 将返回采用域\用户格式的用户,userprincipalname() 将返回采用 user@contoso.com 格式的用户。Within Power BI Desktop, username() will return a user in the format of DOMAIN\User and userprincipalname() will return a user in the format of user@contoso.com.

在 Power BI 服务中,username() 和 userprincipalname() 都将返回用户的用户主体名称 (UPN)。Within the Power BI service, username() and userprincipalname() will both return the user's User Principal Name (UPN). 这看起来类似于电子邮件地址。This looks similar to an email address.

在 Power BI 中使用 RLS 和应用工作区Using RLS with app workspaces in Power BI

如果将 Power BI Desktop 报表发布到 Power BI 服务中的应用工作区,这些角色将应用于只读成员。If you publish your Power BI Desktop report to an app workspace within the Power BI service, the roles will be applied to read-only members. 将需要指示这些成员只可以查看应用工作区设置中的 Power BI 内容。You will need to indicate that members can only view Power BI content within the app workspace settings.

警告

如果已配置应用工作区,因此成员具有编辑权限,那么将不会向这些成员应用 RLS 角色。If you have configured the app workspace so that members have edit permissions, the RLS roles will not be applied to them. 用户将能看到所有数据。Users will be able to see all of the data.

限制Limitations

这是云模型上有关行级安全性的当前限制列表。Here is a list of the current limitations for row-level security on cloud models.

  • 如果你以前有在 Power BI 服务中定义了角色/规则,则将需要在 Power BI Desktop 中重新创建它们。If you previously had roles/rules defined within the Power BI service, you will need to recreate them within Power BI Desktop.
  • 只能通过使用 Power BI Desktop 客户端在创建的数据集上定义 RLS。You can define RLS only on the datasets created using Power BI Desktop client. 若想为使用 Excel 创建的数据集启用 RLS,首先需要将你的文件转换为 PBIX 文件。If you want to enable RLS for datasets created with Excel, you will need to convert your files into PBIX files first. 了解详细信息Learn more
  • 仅支持 ETL 和 DirectQuery 连接。Only ETL, and DirectQuery connections are supported. 在本地模型上处理到 Analysis Services 的实时连接。Live connections to Analysis Services are handled in the on-premises model.
  • 问与答以及 Cortana 此时不受 RLS 的支持。Q&A and Cortana is not supported with RLS at this time. 如果对所有模型配置了 RLS,你将无法看到仪表板的问与答输入框。You will not see the Q&A input box for dashboards if all models have RLS configured. 这还在规划之中,但具体日程尚不可知。This is on the roadmap, but a timeline is not available.
  • 对于使用 RLS 的数据集,暂不支持外部共享。External sharing is not currently supported with datasets that use RLS.
  • 对于任何给定的模型,可以分配给安全角色的 Azure AD 主体(例如单个用户或安全组)的最大数量为 1,000。For any given model, the maximum number of Azure AD principals (i.e. individual users or security groups) that can be assigned to security roles is 1,000. 若要将大量用户分配给角色,请确保分配安全组,而不是单个用户。To assign large numbers of users to roles, be sure to assign security groups, rather than individual users.

已知问题Known issues

有一个已知的问题,那就是当尝试从 Power BI Desktop 发布以前已发布过的内容时,将收到一个错误信息。There is a known issue where you will receive an error message when trying to publish from Power BI Desktop if it was previously published. 该场景如下所示。The scenario is as follows.

  1. Anna 有一个已发布到 Power BI 服务且已配置了 RLS 的数据集。Anna has a dataset that is publised to the Power BI service and has configured RLS.
  2. Anna 在 Power BI Desktop 中更新报表并重新发布。Anna updates the report in Power BI Desktop and re-publishes.
  3. Anna 将收到一个错误。Anna will receive an error.

解决方法:重新从 Power BI 服务中发布 Power BI Desktop 文件,直到此问题得到解决。Workaround: Re-publish the Power BI Desktop file from the Power BI service until this issue is resolved. 可以通过选择“获取数据” > “文件”来执行此操作。You can do that by select Get Data > Files.

常见问题解答FAQ

问:如果我以前在 Power BI 服务中为数据集创建了角色/规则会怎么样?Question: What if I had previously created roles/rules for a dataset in the Power BI service? 如果我不执行任何操作,它们是否仍将起作用?Will they still work if I do nothing?
答:不能。Answer: No. 视觉对象将不会正确呈现。Visuals will not render properly. 你需要重新创建 Power BI Desktop 中的角色/规则,然后发布到 Power BI 服务。You will have to re-create the roles/rules within Power BI Desktop and then published to the Power BI service.

问:我是否可以为 Analysis Services 数据源创建这些角色?Question: Can I creates these roles for Analysis Services data sources?
答︰如果你将数据导入 Power BI Desktop 中,那么你就可以创建。Answer: You can if you imported the data into Power BI Desktop. 如果你正在使用实时连接,那么你将不能配置 Power BI 服务中的 RLS。If you are using a live connection, you will not be able to configure RLS within the Power BI service. 这是在 Analysis Services 模型内部部署中定义的。This is defined within the Analysis Services model on-premises.

问:我能使用 RLS 限制用户可以访问的列或度量值吗?Question: Can I use RLS to limit the columns or measures accessible by my users?
答:不能。Answer: No. 如果用户有权访问特定数据行,那么他们可以查看该行的所有数据列。If a user has access to a particular row of data, they can see all the columns of data for that row.

问:RLS 是否允许我隐藏详细的数据,但提供对在视觉对象中汇总的数据的访问权限?Question: Does RLS allow me to hide detailed data but give access to data summarized in visuals?
答:不允许,可以保护单个数据行,但用户始终可以查看详细信息或汇总的数据。Answer: No, you secure individual rows of data but users can always see either the details or summarized data.

后续步骤Next steps

Power BI Desktop 行级别安全性 (RLS)Row-level security (RLS) with Power BI Desktop

更多问题?More questions? 尝试咨询 Power BI 社区Try asking the Power BI Community