Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Register now to learn Fabric in free live sessions led by the best Microsoft experts. From Apr 16 to May 9, in English and Spanish.

Reply
pauljacobevans
New Member

Building .NET front end with PBI Embedded reports. .NET Users -> PBI Embedded?

‎12-13-2017 07:27 PM

Building a .NET web application that'll handle user authentication for clients, we'll be using PBI Embedded for charts and visuals.  Within Power BI there is fantastic user-level security controls and filtering.  Use case: Have all data for national sales numbers, but when my regional manager logs into my .NET app I want them to only see a sub section of filtered data they only have access to.

 

I know there's the API embedded layer, but how can you interface with an external authentication layer, or is it possible to wrap in Azure authenticaiton into our .NET app to make this connectivity work.

 

I really want to have the user subset security filters on the data, that's a huge requirement for this to work.

 

Thoughts?

Labels:
Message 1 of 5
1,433 Views
0
4 REPLIES 4
Dave1
Helper I
Helper I

‎12-13-2017 09:16 PM

Hi, 

 

All depends on your auhentication architecture, data modeling, your extternal app capability. If you use the same domanname/username for the exteranl authentication and PowerBI, then just create a role and impliment dynamic row level security (DRLS). 

 

If your have different authentication processes, then  you have to create a two-step authentication process. First, You need to add  your users external authentication layer information (login neme(User Name)) as one field - say you have a user security table called, dimUserSecurity. This table has UserID, UserExternalLoginName, UserADName, FirstName, LastName etc... allow this table to have bidirectional relationship in your model.  When a user login to your aplication, you can add their loginName(UserName) as fliter toPowerBi in your API call. So, your reports/dashboards will be flittered for each user based on their role/permission. The user ONLY see what he has access to.

 

 

Message 2 of 5
1,426 Views
pauljacobevans
New Member
In response to Dave1

‎12-14-2017 09:45 AM

Awesome info.  Thank you.

We're re-building the front end .NET app from the ground up, 99% of the app workload is PowerBI.  So simplicity in this authentication hand-off is ideal for us.

 

Here's what I'm trying to understand (an example):

 

1.) I log into our application, a .NET web app using built-in .NET authentication:  https://portal.pjskillerpizza.com

2.) I can name my logon accounts whatever I want, so lets use something Azure (and PowerBI) understand: pjevans@pjskillerpizza.com.

3.) So I've just logged into my .NET app as pjevans@pjskillerpizza.com, cool.

4.) Now I go to the sales page, this has a PowerBI embedded report on it.  On the back-end within PowerBI I've set data security roles for (pjevans@pjskillerpizza.com) to only see regional sales for my region.

 

5?.) How does my app communicate the .NET web app logged on user with the PowerBI backend when the report is pulled?

 

That's what I'm still unclear about...



Thanks again for the help, this community is amazing. 🙂

Message 3 of 5
1,416 Views
0
Dave1
Helper I
Helper I
In response to pauljacobevans

‎12-14-2017 06:56 PM

Hi, 

 

Here is a highlevel solution. I assume that you know how to create Dynamic Row Level Security, BowerBI Embeding using the Master User account. 

 

Step 1: In your data model, add a security table called - eg. dimSecurity with the following fields: 

                      UserID, SalesRegionID, UserPrincipalName, UserName ---etc 

 

Step 2: Make sure that you have mapped your application logon names - add the logon name of your users in UserPrincipalName field. This helps you to map your users to their respective sales regions. If

 

Step 3: In you data model, add a control table - e.g. called dimSalesRegion with the following fields:

                    SalesRegionID, UserID, SalesRegionName ---etc 

 

Step 4 : In your data model, create a bidirectional relationship between dimSecurity and dimSalesRegion using SalesRegionID

 

Step 5: Create a bidirectional relationship between dimSalesRegion and your central tables - may be fact table using SalesRegionID

 

Step 6: In your model, create a role - eg. called ExternalUser --  use something similar dax function

                      UserPrincipalName = UserPrincipalName()

 UserPrincipalName function return the current user's principal name. 

 

Step 7: In your .net app Rest API call -  pass the principal user value as part of the API Call. Which means, your current user(principal) can only see data that are related to his princiapl user name (Sales Region). 

 

If you have detail technical questions: you can reach me at dawit@dabis.solutions.  Or you can review the offical PowerBI documents. 

         

Message 5 of 5
1,396 Views
0
Eric_Zhang
Employee
Employee
In response to pauljacobevans

‎12-14-2017 04:52 PM
@pauljacobevans wrote:

Awesome info.  Thank you.

We're re-building the front end .NET app from the ground up, 99% of the app workload is PowerBI.  So simplicity in this authentication hand-off is ideal for us.

 

Here's what I'm trying to understand (an example):

 

1.) I log into our application, a .NET web app using built-in .NET authentication:  https://portal.pjskillerpizza.com

2.) I can name my logon accounts whatever I want, so lets use something Azure (and PowerBI) understand: pjevans@pjskillerpizza.com.

3.) So I've just logged into my .NET app as pjevans@pjskillerpizza.com, cool.

4.) Now I go to the sales page, this has a PowerBI embedded report on it.  On the back-end within PowerBI I've set data security roles for (pjevans@pjskillerpizza.com) to only see regional sales for my region.

 

5?.) How does my app communicate the .NET web app logged on user with the PowerBI backend when the report is pulled?

 

That's what I'm still unclear about...
Thanks again for the help, this community is amazing. 🙂

@pauljacobevans

I think Embedding for your customers is typcial for your case. In this scenario, it uses a master account to access Power BI Service. The roles set in Power BI Service doesn't affect this case. You just specify the username and roles when generating the embedded token. See Use row-level security with Power BI embedded content.

 

The correlated PBI REST API is GenerateToken.

Message 4 of 5
1,405 Views
0

Helpful resources

Announcements
Microsoft Fabric Learn Together

Microsoft Fabric Learn Together

Covering the world! 9:00-10:30 AM Sydney, 4:00-5:30 PM CET (Paris/Berlin), 7:00-8:30 PM Mexico City

PBI_APRIL_CAROUSEL1

Power BI Monthly Update - April 2024

Check out the April 2024 Power BI update to learn about new features.

April Fabric Community Update

Fabric Community Update - April 2024

Find out what's new and trending in the Fabric Community.

View All
Top Kudoed Authors
View All