cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
RafaelF2
New Member

Embedded report for non power bi users with Row level security

As the title says I'm trying to embed a power bi report with the RLS feature.

So far I already got the first part done, I'm properly embedding my report using the example from this documentation:
https://docs.microsoft.com/en-us/power-bi/developer/embedded/embed-sample-for-customers?tabs=net-cor...

However I'm very confused as to how to apply RLS... I'm following the documentation at: https://docs.microsoft.com/en-us/power-bi/developer/embedded/embedded-row-level-security 

At the beginning of the documentation it's clearly stated that :
"If you're embedding for non-Power BI users (app owns data), which is typically an ISV scenario, then this article is for you!"

This is exactly what I want, embed for NON power bi users, but if that's the case, then why do we need to pass username to the identity?
The doc then says:
"username (mandatory) – A string that can be used to help identify the user when applying RLS rules."

If it's embeded for a non power bi user, how can this be requested? Shouldn't only the list of roles be requested?

The doc says: "Power BI Embedded doesn't have any specific information on who your user is." So what do I even use as username parameter?

Then, it says:

"
Considerations and limitations

  • Assignment of users to roles within the Power BI service doesn't affect RLS when using an embed token."

 

What does this mean? Aren't the roles what PBI uses to make RLS work? The documentation says it:
"roles (mandatory) – A string containing the roles to select when applying Row Level Security rules. If passing more than one role, they should be passed as a string array."

The entire documentation at https://docs.microsoft.com/en-us/power-bi/developer/embedded/embedded-row-level-security is really confusing to me...

1 ACCEPTED SOLUTION
RicoZhou
Community Support
Community Support

Hi @RafaelF2 ,

 

According to your statement, I know you want to configure RLS in App owns data.

In app owns data, to use your application, your users will not need to sign in to Power BI or have a Power BI license. You need to generate an embed token by code for your end user.

Below is workloads to generate embed token: 

1.png

For reference:

 Work loads Embed token

Embed Token - Generate Token

As this blog mentioned, you need to configure RLS in desktop as normal, and then add rls parameters(identities) into codes when you generate embed token for end user.

You could change the PowerBI-Developer-Samples > .NET Framework > Embed for your customers > PowerBIEmbedded_AppOwnsData sample.

 

public EmbedToken GetEmbedToken(Guid reportId, IList<Guid> datasetIds, [Optional] Guid targetWorkspaceId)
    {
        PowerBIClient pbiClient = this.GetPowerBIClient();

        // Create a request for getting an embed token
        // This method works only with new Power BI V2 workspace experience
        var tokenRequest = new GenerateTokenRequestV2(
            reports: new List<GenerateTokenRequestV2Report>() { new GenerateTokenRequestV2Report(reportId) },
            datasets: datasetIds.Select(datasetId => new GenerateTokenRequestV2Dataset(datasetId.ToString())).ToList(),
            targetWorkspaces: targetWorkspaceId != Guid.Empty ? new List<GenerateTokenRequestV2TargetWorkspace>() { new GenerateTokenRequestV2TargetWorkspace(targetWorkspaceId) } : null,
            identities: new List<EffectiveIdentity> { rls }
        );

        // Generate an embed token
        var embedToken = pbiClient.EmbedToken.GenerateToken(tokenRequest);

        return embedToken;
    }

 

 

Best Regards,
Rico Zhou

 

If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

View solution in original post

2 REPLIES 2
RicoZhou
Community Support
Community Support

Hi @RafaelF2 ,

 

According to your statement, I know you want to configure RLS in App owns data.

In app owns data, to use your application, your users will not need to sign in to Power BI or have a Power BI license. You need to generate an embed token by code for your end user.

Below is workloads to generate embed token: 

1.png

For reference:

 Work loads Embed token

Embed Token - Generate Token

As this blog mentioned, you need to configure RLS in desktop as normal, and then add rls parameters(identities) into codes when you generate embed token for end user.

You could change the PowerBI-Developer-Samples > .NET Framework > Embed for your customers > PowerBIEmbedded_AppOwnsData sample.

 

public EmbedToken GetEmbedToken(Guid reportId, IList<Guid> datasetIds, [Optional] Guid targetWorkspaceId)
    {
        PowerBIClient pbiClient = this.GetPowerBIClient();

        // Create a request for getting an embed token
        // This method works only with new Power BI V2 workspace experience
        var tokenRequest = new GenerateTokenRequestV2(
            reports: new List<GenerateTokenRequestV2Report>() { new GenerateTokenRequestV2Report(reportId) },
            datasets: datasetIds.Select(datasetId => new GenerateTokenRequestV2Dataset(datasetId.ToString())).ToList(),
            targetWorkspaces: targetWorkspaceId != Guid.Empty ? new List<GenerateTokenRequestV2TargetWorkspace>() { new GenerateTokenRequestV2TargetWorkspace(targetWorkspaceId) } : null,
            identities: new List<EffectiveIdentity> { rls }
        );

        // Generate an embed token
        var embedToken = pbiClient.EmbedToken.GenerateToken(tokenRequest);

        return embedToken;
    }

 

 

Best Regards,
Rico Zhou

 

If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

lbendlin
Super User
Super User

RLS comes in two flavors.

Roles based where you assign DAX rules to roles, and then assign users to roles. This assumes your users are already authenticated

Dynamic RLS where you use USERPRINCIPALNAME() to drive the DAX rules (or use the data model).  While this works with users who don't have a Power BI license, these users still need to have authenticated in a way that produces a result for USERPRINCIPALNAME()

 

In an App Owns Data scenario you have to implement the first version manually.  The users must present some sort of user id, but you can then decide how to map that to your RLS roles, most likely as part of your wrapper application that does your authentication.

Helpful resources

Announcements
Microsoft Build 768x460.png

Microsoft Build is May 24-26. Have you registered yet?

Come together to explore latest innovations in code and application development—and gain insights from experts from around the world.

charticulator_carousel_with_text (1).png

Charticulator Design Challenge

Put your data visualization and design skills to the test! This exciting challenge is happening now through May 31st!

May UG Leader Call Carousel 768x460.png

What difference can a User Group make for you?

At the monthly call, connect with other leaders and find out how community makes your experience even better.

Power BI Release May 2022 768x460.png

Check it out!

Click here to read more about the May 2022 updates!

Top Solution Authors