Re: Dynamic RLS with roles from JWT.

savpek · ‎07-28-2017

I am developing application which authorization is based on groups. I wrote mediator that converts aplication authentication token to valid powerbi embedded token with user + role information for frontend apps.

for example:

username: "guid here",
roles: ["5b8231a2-9ee5-4b27-a8a7-056af3a4f21f", "another group id guid..."]

However i am strugling to find clean solution to implement RLS for reports based on those roles, because they cannot be set in 'roles' at desktop since they are generated on demand and there may be thousands of them.

Data model contains GROUP (eg) columns where applicaple. It seems i cannot get current roles for DAX filter and only current user is available? If i could retrieve role information in DAX filters i could implement (in pseudo) IF [GROUP] IN GETROLES(). However it seems this isnt possible am i right?

As workaround i may use solution where mediator that converts JWT tokens for power bi embedded writes GROUP_AUTH table to data model with columns "USER_ID, GROUP_MEMBERSHIP" during token exchange which i can use to write valid RSL handling. Mediator service has access to power bi data model (report uses direct query) already because service also generates report data based on messages from other parts.

Is there cleaner solution available? It seems fragile to write database those stuff when they are allready available in jwt token which is secure way to transfer that information any way. Or are there some feature that i have missed all together?

Eric_Zhang · ‎07-29-2017

@savpek wrote:

I am developing application which authorization is based on groups. I wrote mediator that converts aplication authentication token to valid powerbi embedded token with user + role information for frontend apps.

for example:

username: "guid here",
roles: ["5b8231a2-9ee5-4b27-a8a7-056af3a4f21f", "another group id guid..."]

However i am strugling to find clean solution to implement RLS for reports based on those roles, because they cannot be set in 'roles' at desktop since they are generated on demand and there may be thousands of them.

Data model contains GROUP (eg) columns where applicaple. It seems i cannot get current roles for DAX filter and only current user is available? If i could retrieve role information in DAX filters i could implement (in pseudo) IF [GROUP] IN GETROLES(). However it seems this isnt possible am i right?

As workaround i may use solution where mediator that converts JWT tokens for power bi embedded writes GROUP_AUTH table to data model with columns "USER_ID, GROUP_MEMBERSHIP" during token exchange which i can use to write valid RSL handling. Mediator service has access to power bi data model (report uses direct query) already because service also generates report data based on messages from other parts.

Is there cleaner solution available? It seems fragile to write database those stuff when they are allready available in jwt token which is secure way to transfer that information any way. Or are there some feature that i have missed all together?

@savpek

No, you can't get the roles from DAX from DAX and yes, you can only get current user by using USERNAME(). Based on my understanding, the RLS is set for the pre-existing roles, so you can't make it dynamic. What is the dataset like in your case? If there exists some user column, you can only create one role with the condition like [usercol] = UserName(), then in the JWT token, specify the role and specific users.

Dynamic RLS with roles from JWT.

Helpful resources

Fabric certifications survey

Power BI Monthly Update - April 2024

Fabric Community Update - April 2024