Skip to main content
cancel
Showing results for 
Search instead for 
Did you mean: 

Earn the coveted Fabric Analytics Engineer certification. 100% off your exam for a limited time only!

Reply
savpek
New Member

Dynamic RLS with roles from JWT.

I am developing application which authorization is based on groups. I wrote mediator that converts aplication authentication token to valid powerbi embedded token with user + role information for frontend apps.

for example:

username: "guid here",
roles: ["5b8231a2-9ee5-4b27-a8a7-056af3a4f21f", "another group id guid..."]

However i am strugling to find clean solution to implement RLS for reports based on those roles, because they cannot be set in 'roles' at desktop since they are generated on demand and there may be thousands of them.

Data model contains GROUP (eg) columns where applicaple. It seems i cannot get current roles for DAX filter and only current user is available? If i could retrieve role information in DAX filters i could implement (in pseudo) IF [GROUP] IN GETROLES(). However it seems this isnt possible am i right?

As workaround i may use solution where mediator that converts JWT tokens for power bi embedded writes GROUP_AUTH table to data model with columns "USER_ID, GROUP_MEMBERSHIP" during token exchange which i can use to write valid RSL handling. Mediator service has access to power bi data model (report uses direct query) already because service also generates report data based on messages from other parts.

Is there cleaner solution available? It seems fragile to write database those stuff when they are allready available in jwt token which is secure way to transfer that information any way. Or are there some feature that i have missed all together?

1 REPLY 1
Eric_Zhang
Employee
Employee


@savpek wrote:

I am developing application which authorization is based on groups. I wrote mediator that converts aplication authentication token to valid powerbi embedded token with user + role information for frontend apps.

for example:

username: "guid here",
roles: ["5b8231a2-9ee5-4b27-a8a7-056af3a4f21f", "another group id guid..."]

However i am strugling to find clean solution to implement RLS for reports based on those roles, because they cannot be set in 'roles' at desktop since they are generated on demand and there may be thousands of them.

Data model contains GROUP (eg) columns where applicaple. It seems i cannot get current roles for DAX filter and only current user is available? If i could retrieve role information in DAX filters i could implement (in pseudo) IF [GROUP] IN GETROLES(). However it seems this isnt possible am i right?

As workaround i may use solution where mediator that converts JWT tokens for power bi embedded writes GROUP_AUTH table to data model with columns "USER_ID, GROUP_MEMBERSHIP" during token exchange which i can use to write valid RSL handling. Mediator service has access to power bi data model (report uses direct query) already because service also generates report data based on messages from other parts.

Is there cleaner solution available? It seems fragile to write database those stuff when they are allready available in jwt token which is secure way to transfer that information any way. Or are there some feature that i have missed all together?


@savpek

No, you can't get the roles from DAX from DAX and  yes, you can only get current user by using USERNAME(). Based on my understanding, the RLS is set for the pre-existing roles, so you can't make it dynamic. What is the dataset like in your case? If there exists some user column, you can only create one role with  the condition like [usercol] = UserName(), then in the JWT token, specify the role and specific users.

Helpful resources

Announcements
April AMA free

Microsoft Fabric AMA Livestream

Join us Tuesday, April 09, 9:00 – 10:00 AM PST for a live, expert-led Q&A session on all things Microsoft Fabric!

March Fabric Community Update

Fabric Community Update - March 2024

Find out what's new and trending in the Fabric Community.

Top Solution Authors