Set Up Row-Level Security for Procore Analytics
Objective
To set up row-level security for Procore Analytics.
Background
If a user's Procore login credentials are the same as their Power BI login credentials, row-level security (RLS) filters can be set up in Power BI Desktop to limit a user's access in the Power BI service to data only from Procore projects they have been added to. For more information, see Microsoft's Row-level security (RLS) with Power BI .
Things to Consider
- Required User Permissions:
- Your login information for Power BI and Procore must use the same email address.
- You must be assigned the 'Viewer' role in the Power BI workspace.
Steps
- Configure 'Project' and 'ProjectUser' Power BI Relationship
- Create a New RLS Role
- Add Users to a RLS Role
Configure 'Project' and 'ProjectUser' Power BI Relationship
Configuring a Power BI relationship between the Project and ProjectUser tables connects the data from these tables. See Microsoft's Create and manage relationships in Power BI Desktop . Two options for configuring this relationship are outlined below.
Option 1
- Open a Procore Analytics report in Power BI Desktop.
- On the Home tab, click Manage Relationships.
- In the 'Manage relationships' window, scroll through the options and select ProjectUser (ProjectID) and click Edit.
- Complete the following in the 'Edit relationship' window:
- Under 'Cardinality', select Many to one (*:1) and mark the 'Make this relationship active' checkbox. These options should be selected by default.
- Under 'Cross filter direction', select Both and mark the 'Apply security filter in both directions' checkbox.
- Click OK to close the 'Edit relationship' window.
- Click Close to close the 'Manage relationships' window.
- Save the report.
- Continue with the steps in Create a New RLS Role.
Option 2
- Open a Procore Analytics report in Power BI Desktop.
- Click the Model view.
- Check the relationship between the 'Project' and 'ProjectUser' tables. The relationship should have a (1) next to the 'Project' table and an asterisk (*) next to the 'ProjectUser' table.
Tip
To only view the relationship betweeen the 'Project' and 'ProjectUser' tables (as shown below), click the plus icon (+) next to the 'All tables' tab to create a new layout and add the 'Project' and 'ProjectUser' tables to the layout by dragging and dropping them from the Properties > Fields menu into the gray space.
- Select the relationship by double-clicking on the connecting line between them.
- Complete the following in the 'Edit relationship' window:
- Under 'Cardinality', select Many to one (*:1) and mark the 'Make this relationship active' checkbox. These options should be selected by default.
- Under 'Cross filter direction', select Both and mark the 'Apply security filter in both directions' checkbox.
- Click OK to close the 'Edit relationship' window.
- Save the report.
- Continue with the steps in Create a New RLS Role.
Create a New RLS Role
- On the 'Modeling' tab, click Manage Roles.
- In the 'Manage roles' window, complete the following in each column:
- In the 'Roles' column, click Create and enter a name for the role in the 'New role' field. Project User is the role name used in the image below.
- In the 'Tables' column, select ProjectUser.
- In the 'Table filter DAX expression' column, enter [email_address] = userprincipalname().
- Click Save in the 'Manage roles' window.
- Save and publish the report.
- Continue with the steps in Add Users to a RLS Role.
Add Users to a RLS Role
Once the RLS table relationship is configured, users must be added to RLS roles in the Power BI service in order to view a Procore Analytics report. For more information, see Microsoft's Row-level security (RLS) with Power BI: Working with members .
- Open a Procore Analytics report in the Power BI service.
- Under 'Datasets', click the ellipsis (...) next to the report you want to set up RLS for and click Security.
- Select the role you want to add one or more users to.
Tip
Using Office 365 Distribution Groups can simplify the process of adding multiple users to an RLS role at one time. See Microsoft's Get started with Microsoft 365 Groups in Outlook . - Enter their email addresses and click Add.
- Click Save.