Register now to learn Fabric in free live sessions led by the best Microsoft experts. From Apr 16 to May 9, in English and Spanish.
I have setup a test AD user and when the signed on as the user a shared report has RLS via roles working correctly. When using the same report (dataset) and using the EffectiveIdentity function it does not. Only the roles have an effect on the filter rows. If I use an invalid user, the rows filtered are the same as if I sent a valid user. Additionally if I change which roles are passed the data set changes for any user.
I suspect I have something setup or coded wrong.
I was under the impression that the embedded RLS took the username (domain\upn) and used Azure ADFS for any AD groups the user belongs to and used the dataset roles to see what groups and/or direct user mappings exist and then showed the resulting filtered rows. That is how it works using the report on a shared dashboard signed on as the test user.
Snippet from App owns Data: I am using the base gitHub code.
var datasets = await client.Datasets.GetDatasetByIdInGroupAsync(GroupId, report.DatasetId);
result.IsEffectiveIdentityRequired = datasets.IsEffectiveIdentityRequired;
result.IsEffectiveIdentityRolesRequired = datasets.IsEffectiveIdentityRolesRequired;
GenerateTokenRequest generateTokenRequestParameters;
// This is how you create embed token with effective identities
if (!string.IsNullOrEmpty(username))
{
var rls = new EffectiveIdentity(username, new List<string> { report.DatasetId });
if (!string.IsNullOrWhiteSpace(roles))
{
var rolesList = new List<string>();
rolesList.AddRange(roles.Split(','));
rls.Roles = rolesList;
}
// Generate Embed Token with effective identities.
generateTokenRequestParameters = new GenerateTokenRequest(accessLevel: "view", identities: new List<EffectiveIdentity> { rls });
}
Solved! Go to Solution.
Hi,
I am using "App owns data" and I did follow the referenced article. From the article you linked, what is the point of assigning a user (in red) if they have no effect (see your statement n blue)?
Users – These are the actual end-users viewing reports. In Power BI Embedded, users are identified by the username property in an embed token.
If the key is not assigning users to roles in PowerBI service, how is a user assigned to a role (in green) as it cannot be done in the PowerBI Desktop (via the link in pink), it states you can only assign users to roles in the Power BI Service (see in purple).
Roles – Users belong to roles. A role is a container for rules and can be named something like Sales Manager or Sales Rep. You create roles within Power BI Desktop. For more information, see Row-level security (RLS) with Power BI Desktop.
You cannot assign users to a role within Power BI Desktop. This is done within the Power BI service. You can enable dynamic security within Power BI Desktop by making use of the username() or userprincipalname() DAX functions and having the proper relationships configured.
I have found another issue but it actually relates directly to an issue with the Power BI Desktop. If you use "View as roles: Other User" and the user you are using is part of an NT group given access on the PowerBI Service the filter does not work , instead it gives the user access to all the data. However this same user signed on and using a shared dashboard the filter does work. The View as roles: by the role, the role the user has been assgined via the NT group does work. It seems even though the option is there, the PBI desktop does not reach out to the Power BI service to see what access the user might actually have.
Two questions:
1. How do you assign a user to a role when using "App owns data" embedding?
2. In your statement below what constitutes an identity, user and role(s) are parameters. Where is the user compared against if not in the PowerBI Service?
Hi @Rick4him,
There are two types of Power BI Embedding(user owns data, and app owns data). The RLS for the two types of Embedding is also different.
Following are also some considerations and limitations to use row-level security with Power BI embedded content app owns data scenario.
Regards
Hi,
I am using "App owns data" and I did follow the referenced article. From the article you linked, what is the point of assigning a user (in red) if they have no effect (see your statement n blue)?
Users – These are the actual end-users viewing reports. In Power BI Embedded, users are identified by the username property in an embed token.
If the key is not assigning users to roles in PowerBI service, how is a user assigned to a role (in green) as it cannot be done in the PowerBI Desktop (via the link in pink), it states you can only assign users to roles in the Power BI Service (see in purple).
Roles – Users belong to roles. A role is a container for rules and can be named something like Sales Manager or Sales Rep. You create roles within Power BI Desktop. For more information, see Row-level security (RLS) with Power BI Desktop.
You cannot assign users to a role within Power BI Desktop. This is done within the Power BI service. You can enable dynamic security within Power BI Desktop by making use of the username() or userprincipalname() DAX functions and having the proper relationships configured.
I have found another issue but it actually relates directly to an issue with the Power BI Desktop. If you use "View as roles: Other User" and the user you are using is part of an NT group given access on the PowerBI Service the filter does not work , instead it gives the user access to all the data. However this same user signed on and using a shared dashboard the filter does work. The View as roles: by the role, the role the user has been assgined via the NT group does work. It seems even though the option is there, the PBI desktop does not reach out to the Power BI service to see what access the user might actually have.
Two questions:
1. How do you assign a user to a role when using "App owns data" embedding?
2. In your statement below what constitutes an identity, user and role(s) are parameters. Where is the user compared against if not in the PowerBI Service?
Covering the world! 9:00-10:30 AM Sydney, 4:00-5:30 PM CET (Paris/Berlin), 7:00-8:30 PM Mexico City
Check out the April 2024 Power BI update to learn about new features.
User | Count |
---|---|
14 | |
2 | |
2 | |
1 | |
1 |