Skip to main content
cancel
Showing results for 
Search instead for 
Did you mean: 

Earn the coveted Fabric Analytics Engineer certification. 100% off your exam for a limited time only!

Reply
detlev
Helper I
Helper I

I would like to have some detailed information about PBI security towards on premise SSAS mode

PBI sessions are initiated with a O365 account of the user who start powerbi.com, which is 'the same' account as on premise. The stored gateway datasource credentials are then used to connect to the SSAS server. Am I right so far?

 

But I guess the SSAS engine still retrives the original user account to check if this enduser is part of a read role in the SSAS model and to be used in DAX for RLS, etc..

 

How does this work? And in which stage the user credentials are passed to the model? Where can I find more detailed information on this topic?

 

I use Extended Events sessions on premise SSAS server to audit detailed information on sessions, logins, logouts and queries but most of the time I see the stored gatawaydatasourcecredentials rather than the enduser which is querying the models.

1 ACCEPTED SOLUTION
v-yuezhe-msft
Employee
Employee

@detlev,

Do you connect to SSAS in Power BI using a "Connect Live" mode?

Dynamic RLS only works with live connection, and in this case, Power BI uses the effectiveusername property to send the current Power BI user credential to the on-premises SSAS data source to run the queries. The email address that used to sign in Power BI with is passed to Analysis Services as the effective user.  You can use SQL Profiler to capture the background process.

Reference:
https://docs.microsoft.com/en-us/power-bi/desktop-tutorial-row-level-security-onprem-ssas-tabular



Regards,
Lydia

Community Support Team _ Lydia Zhang
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

View solution in original post

1 REPLY 1
v-yuezhe-msft
Employee
Employee

@detlev,

Do you connect to SSAS in Power BI using a "Connect Live" mode?

Dynamic RLS only works with live connection, and in this case, Power BI uses the effectiveusername property to send the current Power BI user credential to the on-premises SSAS data source to run the queries. The email address that used to sign in Power BI with is passed to Analysis Services as the effective user.  You can use SQL Profiler to capture the background process.

Reference:
https://docs.microsoft.com/en-us/power-bi/desktop-tutorial-row-level-security-onprem-ssas-tabular



Regards,
Lydia

Community Support Team _ Lydia Zhang
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

Helpful resources

Announcements
April AMA free

Microsoft Fabric AMA Livestream

Join us Tuesday, April 09, 9:00 – 10:00 AM PST for a live, expert-led Q&A session on all things Microsoft Fabric!

March Fabric Community Update

Fabric Community Update - March 2024

Find out what's new and trending in the Fabric Community.

Top Solution Authors
Top Kudoed Authors