Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Register now to learn Fabric in free live sessions led by the best Microsoft experts. From Apr 16 to May 9, in English and Spanish.

Reply
Rick4him
Helper I
Helper I

Only roles seem to have an effect on RLS

‎12-15-2017 03:38 PM

I have setup a test AD user and when the signed on as the user a shared report has RLS via roles working correctly.  When using the same report (dataset) and using the EffectiveIdentity function it does not.   Only the roles have an effect on the filter rows.  If I use an invalid user, the rows filtered are the same as if I sent a valid user.  Additionally if I change which roles are passed the data set changes for any user.

 

I suspect I have something setup or coded wrong. 

 

I was under the impression that the embedded RLS took the username (domain\upn) and used Azure ADFS for any AD groups the user belongs to and used the dataset roles to see what groups and/or direct user mappings exist and then showed the resulting filtered rows.  That is how it works using the report on a shared dashboard signed on as the test user.

 

Snippet from App owns Data:  I am using the base gitHub code.

 

var datasets = await client.Datasets.GetDatasetByIdInGroupAsync(GroupId, report.DatasetId);

 

result.IsEffectiveIdentityRequired = datasets.IsEffectiveIdentityRequired;

result.IsEffectiveIdentityRolesRequired = datasets.IsEffectiveIdentityRolesRequired;

GenerateTokenRequest generateTokenRequestParameters;

// This is how you create embed token with effective identities

if (!string.IsNullOrEmpty(username))

{

var rls = new EffectiveIdentity(username, new List<string> { report.DatasetId });

if (!string.IsNullOrWhiteSpace(roles))

 {

var rolesList = new List<string>();

rolesList.AddRange(roles.Split(','));

rls.Roles = rolesList;

}

// Generate Embed Token with effective identities.

generateTokenRequestParameters = new GenerateTokenRequest(accessLevel: "view", identities: new List<EffectiveIdentity> { rls });

 

}

Labels:
Message 1 of 3
3,090 Views
1 ACCEPTED SOLUTION
Rick4him
Helper I
Helper I
In response to v-ljerr-msft

‎12-18-2017 08:42 AM

Hi, 

 

I am using "App owns data" and I did follow the referenced article.   From the article you linked, what is the point of assigning a user (in red) if they have no effect (see your statement n blue)?

 

Users – These are the actual end-users viewing reports. In Power BI Embedded, users are identified by the username property in an embed token.

 

  • Assignment of users to roles within the Power BI service does not affect RLS when using an embed token.

 

 

If the key is not assigning users to roles in PowerBI service, how is a user assigned to a role (in green) as it cannot be done in the PowerBI Desktop (via the link in pink), it states you can only assign users to roles in the Power BI Service (see in purple).

 

Roles Users belong to roles. A role is a container for rules and can be named something like Sales Manager or Sales Rep. You create roles within Power BI Desktop. For more information, see Row-level security (RLS) with Power BI Desktop.

 

You cannot assign users to a role within Power BI Desktop. This is done within the Power BI service. You can enable dynamic security within Power BI Desktop by making use of the username() or userprincipalname() DAX functions and having the proper relationships configured.

 

 I have found another issue but it actually relates directly to an issue with the Power BI Desktop.  If you use "View as roles: Other User" and the user you are using is part of an NT group given access on the PowerBI Service the filter does not work , instead it gives the user access to all the data.  However this same user signed on and using a shared dashboard the filter does work.  The View as roles: by the role, the role the user has been assgined via the NT group does work. It seems even though the option is there, the PBI desktop does not reach out to the Power BI service to see what access the user might actually have. 

 

 

Two questions:

1. How do you assign a user to a role when using "App owns data" embedding?

2. In your statement below what constitutes an identity, user and role(s) are parameters. Where is the user compared against if not in the PowerBI Service?  

 

  • While the Power BI service will not apply RLS setting to admins or members with edit permissions, when you supply an identity with an embed token, it will be applied to the data.

View solution in original post

Message 3 of 3
3,845 Views
0
2 REPLIES 2
v-ljerr-msft
Employee
Employee

‎12-17-2017 11:50 PM

Hi @Rick4him,

 

There are two types of Power BI Embedding(user owns data, and app owns data). The RLS for the two types of Embedding is also different.

  • If you are embedding to Power BI users (user owns data), within your organization, RLS works the same as it does within the Power BI service directly. There is nothing more you need to do in your application. For more information see, Row-Level security (RLS) with Power BI.
  • If you are embedding for non-Power BI users (app owns data), which is typically an ISV scenario, then this article is for you! You will need to configure the embed token to account for user and role.

Following are also some considerations and limitations to use row-level security with Power BI embedded content app owns data scenario.

  • Assignment of users to roles within the Power BI service does not affect RLS when using an embed token.
  • While the Power BI service will not apply RLS setting to admins or members with edit permissions, when you supply an identity with an embed token, it will be applied to the data.
  • Passing the identity information, when calling GenerateToken, is only supported for report read/write. Support for other resources will come later.
  • Analysis Services live connections are supported for on-premises servers.
  • Azure Analysis Services live connections support filtering by roles, but not dynamic by username.
  • If the underlying dataset doesn’t require RLS, the GenerateToken request must not contain an effective identity.
  • If the underlying dataset is a cloud model (cached model or DirectQuery), the effective identity must include at least one role. Otherwise, role assignment will not occur.
  • Only one identity can be provided in the list of identities. We are using a list to enable multi-identity tokens for dashboard embedding in the future.

 

Regards

Message 2 of 3
3,065 Views
0
Rick4him
Helper I
Helper I
In response to v-ljerr-msft

‎12-18-2017 08:42 AM

Hi, 

 

I am using "App owns data" and I did follow the referenced article.   From the article you linked, what is the point of assigning a user (in red) if they have no effect (see your statement n blue)?

 

Users – These are the actual end-users viewing reports. In Power BI Embedded, users are identified by the username property in an embed token.

 

  • Assignment of users to roles within the Power BI service does not affect RLS when using an embed token.

 

 

If the key is not assigning users to roles in PowerBI service, how is a user assigned to a role (in green) as it cannot be done in the PowerBI Desktop (via the link in pink), it states you can only assign users to roles in the Power BI Service (see in purple).

 

Roles Users belong to roles. A role is a container for rules and can be named something like Sales Manager or Sales Rep. You create roles within Power BI Desktop. For more information, see Row-level security (RLS) with Power BI Desktop.

 

You cannot assign users to a role within Power BI Desktop. This is done within the Power BI service. You can enable dynamic security within Power BI Desktop by making use of the username() or userprincipalname() DAX functions and having the proper relationships configured.

 

 I have found another issue but it actually relates directly to an issue with the Power BI Desktop.  If you use "View as roles: Other User" and the user you are using is part of an NT group given access on the PowerBI Service the filter does not work , instead it gives the user access to all the data.  However this same user signed on and using a shared dashboard the filter does work.  The View as roles: by the role, the role the user has been assgined via the NT group does work. It seems even though the option is there, the PBI desktop does not reach out to the Power BI service to see what access the user might actually have. 

 

 

Two questions:

1. How do you assign a user to a role when using "App owns data" embedding?

2. In your statement below what constitutes an identity, user and role(s) are parameters. Where is the user compared against if not in the PowerBI Service?  

 

  • While the Power BI service will not apply RLS setting to admins or members with edit permissions, when you supply an identity with an embed token, it will be applied to the data.
Message 3 of 3
3,846 Views
0

Helpful resources

Announcements
Microsoft Fabric Learn Together

Microsoft Fabric Learn Together

Covering the world! 9:00-10:30 AM Sydney, 4:00-5:30 PM CET (Paris/Berlin), 7:00-8:30 PM Mexico City

PBI_APRIL_CAROUSEL1

Power BI Monthly Update - April 2024

Check out the April 2024 Power BI update to learn about new features.

April Fabric Community Update

Fabric Community Update - April 2024

Find out what's new and trending in the Fabric Community.

View All