将行级别安全性用于 Power BI 工作区集合Row level security with Power BI Workspace Collections

行级别安全性 (RLS) 可用于限制用户对报表或数据集内特定数据的访问,使多个不同的用户在查看不同数据的同时,能够使用相同的报表。Row level security (RLS) can be used to restrict user access to particular data within a report or dataset, allowing for multiple different users to use the same report while all seeing different data. Power BI 工作区集合支持使用 RLS 配置的数据集。Power BI Workspace Collections support datasets configured with RLS.

Power BI 工作区集合中的行级别安全性流程

Important

Power BI 工作区集合已弃用,到 2018 年 6 月 或合同指示时可用。Power BI Workspace Collections is deprecated and is available until June 2018 or when your contract indicates. 建议你规划到 Power BI Embedded 的迁移以避免应用程序中断。You are encouraged to plan your migration to Power BI Embedded to avoid interruption in your application. 有关如何将数据迁移到 Power BI Embedded 的信息,请参阅如何将 Power BI 工作区集合内容迁移到 Power BI EmbeddedFor information on how to migrate your data to Power BI Embedded, see How to migrate Power BI Workspace Collections content to Power BI Embedded.

若要利用 RLS,必须了解三个重要概念:用户、角色和规则。In order to take advantage of RLS, it’s important you understand three main concepts; Users, Roles, and Rules. 下面更详细地讲解每个概念:Let’s take a closer look at each:

用户 - 查看报表的实际最终用户。Users - These are the actual end-users viewing reports. 在 Power BI 工作区集合中,用户按应用令牌中的用户名属性标识。In Power BI Workspace Collections, users are identified by the username property in an App Token.

角色 – 用户属于角色。Roles - Users belong to roles. 角色是规则的容器,可命名为类似于“销售经理”或“销售代表”的名称。A role is a container for rules and can be named something like “Sales Manager” or “Sales Rep.” 在 Power BI 工作区集合中,用户按应用令牌中的角色属性标识。In Power BI Workspace Collections, users are identified by the roles property in an App Token.

规则 – 角色具有规则,这些规则是要应用到数据的实际筛选器。Rules - Roles have rules, and those rules are the actual filters that are going to be applied to the data. 规则可以像“Country = USA”一样简单,也可以是更动态的对象。This could be as simple as “Country = USA” or something much more dynamic.

示例Example

本文的余下部分将提供编写 RLS,然后在嵌入式应用程序中使用 RLS 的示例。For the rest of this article, we provide an example of authoring RLS, and then consuming that within an embedded application. 本例使用零售分析示例 PBIX 文件。Our example uses the Retail Analysis Sample PBIX file.

示例销售报表

零售分析示例显示特定零售链中所有商店的销售额。Our Retail Analysis sample shows sales for all the stores in a particular retail chain. 如果不使用 RLS,无论哪个区域的经理在登录后查看报表时,都会看到相同的数据。Without RLS, no matter which district manager signs in and views the report, they see the same data. 高级管理层决定只允许每个区域经理查看他们所管理的商店的销售额。为实现此目的,可以使用 RLS。Senior management has determined each district manager should only see the sales for the stores they manage, and to do this, we can use RLS.

RLS 是在 Power BI Desktop 中编写的。RLS is authored in Power BI Desktop. 打开数据集和报表时,可以切换到图示视图来查看架构:When the dataset and report are opened, we can switch to diagram view to see the schema:

Power BI Desktop 中的模型图

下面是此架构的一些注意事项:Here are a few things to notice with this schema:

  • 所有度量值,例如“总销售额”,存储在“销售”事实表中。All measures, like Total Sales, are stored in the Sales fact table.

  • 有四个附加的相关维度表:“项”、“时间”、“商店”和“区域”。There are four additional related dimension tables: Item, Time, Store, and District.

  • 关系线的箭头表示筛选器可以从一个表流向另一个表的方向。The arrows on the relationship lines indicate which way filters can flow from one table to another. 例如,如果筛选器位于 Time[Date] 中,则在当前架构中,它只向下筛选“销售”表中的值。For example, if a filter is placed on Time[Date], in the current schema it would only filter down values in the Sales table. 其他表不受此筛选器的影响,因为关系线的所有箭头都指向销售表,未指向其他方向。No other tables would be affected by this filter since all of the arrows on the relationship lines point to the sales table and not away.

  • “区域”表指明谁是每个区域的经理:The District table indicates who the manager is for each district:

    区域表行

根据此架构,如果将筛选器应用到“区域”表中的“区域经理”列,并且该筛选器与查看报表的用户匹配,则该筛选器也向下筛选“商店”和“销售”表,只显示该特定区域经理的数据。Based on this schema, if we apply a filter to the District Manager column in the District table, and if that filter matches the user viewing the report, that filter also filters down the Store and Sales tables to only show data for that particular district manager.

方法如下:Here’s how:

  1. 在“建模”选项卡中,单击“管理角色”。On the Modeling tab, click Manage Roles.
    “建模”功能区中的“管理角色”按钮Manage roles button in Modeling ribbon

  2. 创建名为“经理”的新角色。Create a new role called Manager.
    Power BI Desktop 中的角色创建Roles creation in Power BI Desktop

  3. 在“区域”表中输入以下 DAX 表达式:[District Manager] = USERNAME()In the District table enter the following DAX expression: [District Manager] = USERNAME()
    角色中用于表的 DAX 筛选表达式DAX filter expression for table in role

  4. 为确保规则正常运行,请在“建模”选项卡中单击“以角色身份查看”,并输入以下内容:To make sure the rules are working, on the Modeling tab, click View as Roles, and then enter the following:
    以角色身份查看View as roles

    报表随即会显示数据,与使用 Andrew Ma 登录时的情况一样。The reports will now show data as if you are signed in as Andrew Ma.

如前所述应用筛选器可向下筛选“区域”、“商店”和“销售”表中的所有记录。Applying the filter, the way we did here, filters down all records in the District, Store, and Sales tables. 但是,由于对“销售”与“时间”之间的关系应用了筛选方向,因此,“销售”和“项”,以及“项”和“时间”表不会向下筛选。However, because of the filter direction on the relationships between Sales and Time, Sales and Item, and Item and Time tables will not be filtered down.

突出显示关系的图示视图

这种模式也许能够满足某种要求,但如果不希望经理查看他们没有任何销售的项,则可以针对关系启用双向交叉筛选,使安全筛选器同时流向两个方向。That may be ok for this requirement, however, if we don’t want managers to see items for which they don’t have any sales, we could turn on bidirectional cross-filtering for the relationship and flow the security filter in both directions. 为此,可以编辑“销售”与“项”之间的关系,如下所示:This can be done by editing the relationship between Sales and Item, like this:

针对关系的交叉筛选器方向

现在,筛选器可以从“销售”表流向“项”表:Now, filters can also flow from the Sales table to the Item table:

图示视图中关系的筛选器方向图标

Note

如果针对数据使用 DirectQuery 模式,必须选择以下两个选项来启用双向交叉筛选:If you're using DirectQuery mode for your data, you need to enable bidirectional-cross filtering by selecting these two options:

  1. “文件” -> “选项和设置” -> “预览功能” -> “为 DirectQuery 启用两个方向的交叉筛选”。File -> Options and Settings -> Preview Features -> Enable cross filtering in both directions for DirectQuery.
  2. “文件” -> “选项和设置” -> “DirectQuery” -> “允许 DirectQuery 模式下不受限制的度量”。File -> Options and Settings -> DirectQuery -> Allow unrestricted measure in DirectQuery mode.

若要了解有关双向交叉筛选的详细信息,请下载 Bidirectional cross-filtering in SQL Server Analysis Services 2016 and Power BI Desktop(SQL Server Analysis Services 2016 和 Power BI Desktop 中的双向交叉筛选)白皮书。To learn more about bidirectional cross-filtering, download the Bidirectional cross-filtering in SQL Server Analysis Services 2016 and Power BI Desktop whitepaper.

这就是需要在 Power BI Desktop 中完成的所有工作,但要使定义的 RLS 规则能够在 Power BI Embedded 中正常运行,还有一个小问题需要解决。This wraps up all the work that needs to be done in Power BI Desktop, but there’s one more piece of work that needs to be done to make the RLS rules we defined work in Power BI Embedded. 用户由应用程序进行身份验证和授权,应用令牌用于授予用户对特定 Power BI Embedded 报表的访问权限。Users are authenticated and authorized by your application and App tokens are used to grant that user access to a specific Power BI Embedded report. Power BI Embedded 并不具体地知道谁是用户。Power BI Embedded doesn’t have any specific information on who your user is. 要使 RLS 正常运行,需要将一些附加上下文作为应用令牌的一部分传递:For RLS to work, you need to pass some additional context as part of your app token:

  • username(可选)- 与 RLS 一起使用,这是一个字符串,可以在应用 RLS 规则时帮助标识用户。username (optional) - Used with RLS this is a string that can be used to help identify the user when applying RLS rules. 请参阅“Using Row Level Security with Power BI Embedded”(在 Power BI Embedded 中使用行级别安全性)See Using Row Level Security with Power BI Embedded
  • roles - 一个字符串,包含应用行级别安全性规则时可选择的角色。roles - A string containing the roles to select when applying Row Level Security rules. 如果传递多个角色,则应当以字符串数组形式传递它们。If passing more than one role, they should be passed as a string array.

使用 CreateReportEmbedToken 方法创建令牌。You create the token by using the CreateReportEmbedToken method. 如果提供 username 属性,则也必须在角色中至少传递一个值。If the username property is present, you must also pass at least one value in roles.

例如,可更改 EmbedSample。For example, you could change the EmbedSample. DashboardController 第 55 行无法执行以下更新:从DashboardController line 55 could be updated from

var embedToken = PowerBIToken.CreateReportEmbedToken(this.workspaceCollection, this.workspaceId, report.Id);

toto

var embedToken = PowerBIToken.CreateReportEmbedToken(this.workspaceCollection, this.workspaceId, report.Id, "Andrew Ma", ["Manager"]);'

完整的应用令牌如下所示:The full app token looks something like this:

JSON Web 令牌示例

现已组合所有信息片段,当某人登录应用程序查看此报表时,会根据行级别安全性的定义,看到有权查看的数据。Now, with all the pieces together, when someone logs in to our application to view this report, they see the data that they are allowed to see, as defined by our row-level security.

应用程序中显示的报表

另请参阅See also

Power BI 行级别安全性 (RLS)Row-level security (RLS) with Power
在 Power BI 工作区集合中进行身份验证和授权Authenticating and authorizing in Power BI Workspace Collections
Power BI DesktopPower BI Desktop
JavaScript 嵌入示例JavaScript Embed Sample

有更多问题?More questions? 试用 Power BI 社区Try the Power BI Community