BI teams distributing Power BI content via apps have two layers of control for granting users permission to view the app's dashboards and reports. The first layer is configured by choosing the users or security groups of users when publishing the app in the Power BI service.

In the following image, a security group from AAD (Global Sales Team) is specified when publishing the Global Sales workspace as an app:

In this example, a Power BI user will need to be included in the Global Sales Team security group to see and access the app. The user who published the app will also automatically be granted permission to the app. Additionally, as per the Install app automatically checkmark, the published app will be automatically installed for members of the Global Sales Team. These users will be able to access the installed app in the Apps menu between the Recent and Shared with me menu. An example of the Apps menu is included in the Installing apps section later in this chapter.

The second layer of control is the row-level security (RLS) roles configured for the dataset supporting the reports and dashboards. If RLS has been defined within the dataset, all users accessing the app will need to be mapped to one of the RLS roles in the Power BI service.

In the following example, other Azure Active Directory security groups (for example, BI Admin) are mapped to four RLS roles:

As per the preceding image, a BI Admin security group is mapped to the Executives security role. Unlike the other three security roles, which filter the Sales Territory Group column of the Sales Territory table, the Executives role does not have any filters applied.

The user accessing and consuming the app will, therefore, need to be a member of both the Global Sales Team security group and one or more of the security groups assigned to an RLS role. If the user is only a member of the Global Sales Team security group (from the App Access page), the visuals of the dashboard and report will not render.