使用 Power BI Desktop 的資料列層級安全性 (RLS)Row-level security (RLS) with Power BI Desktop

使用 Power BI Desktop 的資料列層級安全性 (RLS) 可用來限制指定的使用者的資料存取。Row-level security (RLS) with Power BI Desktop can be used to restrict data access for given users. 篩選會限制資料列層級的資料。Filters restrict data at the row level. 您可以在角色中定義篩選。You can define filters within roles.

您現在可以使用 Power BI Desktop 為匯入 Power BI 的資料模型設定 RLS。You can now configure RLS for data models imported into Power BI with Power BI Desktop. 您也可以針對使用 DirectQuery (如 SQL Server) 的資料集設定 RLS。You can also configure RLS on datasets that are using DirectQuery, such as SQL Server. 先前,您只能夠在 Power BI 外部的內部部署 Analysis Services 模型實作 RLS。Previously, you were only able to implement RLS within on-premises Analysis Services models outside of Power BI. 您可以在內部部署模型上,為 Analysis Services 即時連線設定資料列層級安全性。For Analysis Services live connections, you configure Row-level security on the on-premises model. 即時連線資料集不會顯示安全性選項。The security option will not show up for live connection datasets.

重要

如果您在 Power BI 服務中定義角色/規則,就必須在 Power BI Desktop 中重新建立這些角色,並將報表發佈至服務。If you defined roles/rules within the Power BI service, you will need to recreate those roles within Power BI Desktop and publish the report to the service.

深入了解 Power BI 服務內的 RLS 的選項。Learn more about options for RLS within the Power BI Service.

在 Power BI Desktop 中定義角色和規則Define roles and rules within Power BI Desktop

您可以在 Power BI Desktop 中定義角色和規則。You can define roles and rules within Power BI Desktop. 當發行至 Power BI 時,也會發行角色定義。When you publish to Power BI, it will also publish the role definitions.

若要定義安全性角色,您可以執行下列作業。To define security roles, you can do the following.

  1. 將資料匯入 Power BI Desktop 報表,或設定 DirectQuery 連線。Import data into your Power BI Desktop report, or configure a DirectQuery connection.

    注意

    您不能在 Power BI Desktop 中定義 Analysis Services 即時連線的角色。You cannot define roles within Power BI Desktop for Analysis Services live connections. 您必須在 Analysis Services 模型中執行此作業。You will need to do that within the Analysis Services model.

  2. 選取 [模型] 索引標籤。Select the Modeling tab.
  3. 選取 [管理角色]。Select Manage Roles.

  4. 選取 [建立]。Select Create.

  5. 提供角色名稱。Provide a name for the role.
  6. 選取要套用 DAX 規則的資料表。Select the table that you want to apply a DAX rule.
  7. 輸入 DAX 運算式。Enter the DAX expressions. 此運算式應該傳回 true 或 false。This expression should return a true or false. 例如:[Entity ID] = “Value”。For example: [Entity ID] = “Value”.

    注意

    這個運算式中可以使用 username()You can use username() within this expression. 請注意,username() 在 Power BI Desktop 中的格式為「網域\使用者名稱」。Be aware that username() will have the format of DOMAIN\username within Power BI Desktop. 在 Power BI 服務中的格式則是使用者的 UPN。Within the Power BI service, it will be in the format of the user's UPN. 或者,您可以使用 userprincipalname(),這一律會以使用者主體名稱的格式傳回使用者。Alternatively, you can use userprincipalname() which will always return the user in the format of their user principal name.

  8. 建立 DAX 運算式之後,您可以選取運算式上方的核取方塊,以驗證運算式。After you have created the DAX expression, you can select the check above the expression box to validate the expression.

  9. 選取 [儲存]。Select Save.

您無法將使用者指派給 Power BI Desktop 內的角色。You cannot assign users to a role within Power BI Desktop. Power BI 服務會在內部完成此作業。This is done within the Power BI service. 在 Power BI Desktop 內,您可以使用 username()userprincipalname() DAX 函式,並設定合適的關聯性,以啟用動態安全性。You can enable dynamic security within Power BI Desktop by making use of the username() or userprincipalname() DAX functions and having the proper relationships configured.

在 Power BI Desktop 中驗證角色Validating the role within Power BI Desktop

建立角色之後,您就可以在 Power BI Desktop 中測試角色的結果。After you have created your role, you can test the results of the role within Power BI Desktop. 若要這樣做,請選取 [以角色身分檢視]。To do this, select View As Roles.

[以角色身分檢視] 對話方塊可讓您變更正在查看的特定使用者或角色的檢視。The View as roles dialog allows you to change the view of what you are seeing for that specific user or role. 您會看到您所建立的角色。You will see the roles you have created.

選取已建立的角色,然後選取 [確定] 將該角色套用到您正在檢視的內容。You select the role you created and then select OK to apply that role to what you are viewing. 報表只會呈現與該角色相關的資料。The reports will only render the data relevant for that role.

您也可以選取 [其他使用者] 並提供指定的使用者。You can also select Other user and supply a given user. 最好提供使用者主體名稱 (UPN),因為這正是 Power BI 服務會使用的。It is best to supply the User Principal Name (UPN) as that is what the Power BI service will use. 選取 [確定],報表就會顯示該使用者可以看到的內容。Select OK and the reports will render based on what that user can see.

注意

如果您使用的是以 DAX 運算式為基礎的動態安全性,在 Power BI Desktop 中,這只會顯示不同的結果。Within Power BI Desktop, this will only display different results if you are using dynamic security based on your DAX expressions.

限制Limitations

以下是雲端模型的資料列層級安全性目前限制清單。Here is a list of the current limitations for row-level security on cloud models.

  • 如果先前已在 Power BI 服務中定義了角色/規則,就必須在 Power BI Desktop 中重新加以建立。If you previously had roles/rules defined within the Power BI service, you will need to recreate them within Power BI Desktop.
  • 您只能在使用 Power BI Desktop 用戶端建立的資料集上定義 RLS。You can define RLS only on the datasets created using Power BI Desktop client. 如果您想要針對使用 Excel 建立的資料集啟用 RLS,則必須先將檔案轉換成 PBIX 檔案。If you want to enable RLS for datasets created with Excel, you will need to convert your files into PBIX files first. 深入了解Learn more
  • 只支援 ETL 和 DirectQuery 連線。Only ETL, and DirectQuery connections are supported. Analysis Services 即時連接是在內部部署模型中處理。Live connections to Analysis Services are handled in the on-premises model.
  • RLS 目前不支援問與答及 Cortana。Q&A and Cortana is not supported with RLS at this time. 如果所有模型都已設定 RLS,您將不會看到儀表板的 [問與答] 輸入方塊。You will not see the Q&A input box for dashboards if all models have RLS configured. 這已在規劃中,但未建立時間軸。This is on the roadmap, but a timeline is not available.
  • 使用 RLS 的資料集目前不支援外部共用。External sharing is not currently supported with datasets that use RLS.
  • 對於任何給定的模型,可以指派給安全性角色的 Azure AD 主體 (也就是個別使用者或安全性群組) 的最大數目是 1,000。For any given model, the maximum number of Azure AD principals (i.e. individual users or security groups) that can be assigned to security roles is 1,000. 若要將大量使用者指派給角色,請務必指派安全性群組,而不是個別使用者。To assign large numbers of users to roles, be sure to assign security groups, rather than individual users.

已知問題Known issues

已知問題:如果嘗試從 Power BI Desktop 發行已發行過的內容,會收到錯誤訊息。There is a known issue where you will receive an error message when trying to publish from Power BI Desktop if it was previously published. 案例如下。The scenario is as follows.

  1. Anna 有個發佈到 Power BI 服務的資料集,並已設定 RLS。Anna has a dataset that is publised to the Power BI service and has configured RLS.
  2. Anna 更新了 Power BI Desktop 中的報表,然後重新發行。Anna updates the report in Power BI Desktop and re-publishes.
  3. Anna 會收到錯誤。Anna will receive an error.

因應措施︰從 Power BI 服務重新發行 Power BI Desktop 檔案,直到此問題解決為止。Workaround: Re-publish the Power BI Desktop file from the Power BI service until this issue is resolved. 您可以選取 [Get Data](取得資料) > [檔案] 以執行此動作。You can do that by select Get Data > Files.

常見問題集FAQ

問題︰如果先前曾在 Power BI 服務中建立了資料集的角色/規則會如何?Question: What if I had previously created roles/rules for a dataset in the Power BI service? 如果什麼都不做,它們還可以運作嗎?Will they still work if I do nothing?
答: 否。Answer: No. 視覺效果不會正確呈現。Visuals will not render properly. 您必須在 Power BI Desktop 內重新建立角色/規則,然後將其發行至 Power BI 服務。You will have to re-create the roles/rules within Power BI Desktop and then published to the Power BI service.

問題︰我可以為 Analysis Services 資料來源建立這些角色嗎?Question: Can I creates these roles for Analysis Services data sources?
回答︰如果已將資料匯入 Power BI Desktop 就可以。Answer: You can if you imported the data into Power BI Desktop. 如果您使用的是即時連線,就無法在 Power BI 服務中設定 RLS。If you are using a live connection, you will not be able to configure RLS within the Power BI service. 這定義在內部部署 Analysis Services 模型中。This is defined within the Analysis Services model on-premises.

問題:我可以使用 RLS 來限制使用者能夠存取的資料行或量值嗎?Question: Can I use RLS to limit the columns or measures accessible by my users?
答: 否。Answer: No. 如果使用者具有特定資料列的存取權,就可以查看該資料列的所有資料行。If a user has access to a particular row of data, they can see all the columns of data for that row.

問題:RLS 是否可讓我隱藏詳細資料,但允許存取以視覺效果摘要的資料?Question: Does RLS allow me to hide detailed data but give access to data summarized in visuals?
回答:否,您可以保護個別資料列,但使用者一律可以查看詳細資料或摘要的資料。Answer: No, you secure individual rows of data but users can always see either the details or summarized data.

後續步驟Next steps

使用 Power BI 服務的資料列層級安全性 (RLS)Row-level security (RLS) with the Power BI service

有其他問題嗎?More questions? 嘗試在 Power BI 社群提問Try asking the Power BI Community