Skip to main content
cancel
Showing results for 
Search instead for 
Did you mean: 

Earn the coveted Fabric Analytics Engineer certification. 100% off your exam for a limited time only!

Reply
Anonymous
Not applicable

Embedded report for non power bi users with Row level security

As the title says I'm trying to embed a power bi report with the RLS feature.

So far I already got the first part done, I'm properly embedding my report using the example from this documentation:
https://docs.microsoft.com/en-us/power-bi/developer/embedded/embed-sample-for-customers?tabs=net-cor...

However I'm very confused as to how to apply RLS... I'm following the documentation at: https://docs.microsoft.com/en-us/power-bi/developer/embedded/embedded-row-level-security 

At the beginning of the documentation it's clearly stated that :
"If you're embedding for non-Power BI users (app owns data), which is typically an ISV scenario, then this article is for you!"

This is exactly what I want, embed for NON power bi users, but if that's the case, then why do we need to pass username to the identity?
The doc then says:
"username (mandatory) – A string that can be used to help identify the user when applying RLS rules."

If it's embeded for a non power bi user, how can this be requested? Shouldn't only the list of roles be requested?

The doc says: "Power BI Embedded doesn't have any specific information on who your user is." So what do I even use as username parameter?

Then, it says:

"
Considerations and limitations

  • Assignment of users to roles within the Power BI service doesn't affect RLS when using an embed token."

 

What does this mean? Aren't the roles what PBI uses to make RLS work? The documentation says it:
"roles (mandatory) – A string containing the roles to select when applying Row Level Security rules. If passing more than one role, they should be passed as a string array."

The entire documentation at https://docs.microsoft.com/en-us/power-bi/developer/embedded/embedded-row-level-security is really confusing to me...

1 ACCEPTED SOLUTION
v-rzhou-msft
Community Support
Community Support

Hi @Anonymous ,

 

According to your statement, I know you want to configure RLS in App owns data.

In app owns data, to use your application, your users will not need to sign in to Power BI or have a Power BI license. You need to generate an embed token by code for your end user.

Below is workloads to generate embed token: 

1.png

For reference:

 Work loads Embed token

Embed Token - Generate Token

As this blog mentioned, you need to configure RLS in desktop as normal, and then add rls parameters(identities) into codes when you generate embed token for end user.

You could change the PowerBI-Developer-Samples > .NET Framework > Embed for your customers > PowerBIEmbedded_AppOwnsData sample.

 

public EmbedToken GetEmbedToken(Guid reportId, IList<Guid> datasetIds, [Optional] Guid targetWorkspaceId)
    {
        PowerBIClient pbiClient = this.GetPowerBIClient();

        // Create a request for getting an embed token
        // This method works only with new Power BI V2 workspace experience
        var tokenRequest = new GenerateTokenRequestV2(
            reports: new List<GenerateTokenRequestV2Report>() { new GenerateTokenRequestV2Report(reportId) },
            datasets: datasetIds.Select(datasetId => new GenerateTokenRequestV2Dataset(datasetId.ToString())).ToList(),
            targetWorkspaces: targetWorkspaceId != Guid.Empty ? new List<GenerateTokenRequestV2TargetWorkspace>() { new GenerateTokenRequestV2TargetWorkspace(targetWorkspaceId) } : null,
            identities: new List<EffectiveIdentity> { rls }
        );

        // Generate an embed token
        var embedToken = pbiClient.EmbedToken.GenerateToken(tokenRequest);

        return embedToken;
    }

 

 

Best Regards,
Rico Zhou

 

If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

View solution in original post

2 REPLIES 2
v-rzhou-msft
Community Support
Community Support

Hi @Anonymous ,

 

According to your statement, I know you want to configure RLS in App owns data.

In app owns data, to use your application, your users will not need to sign in to Power BI or have a Power BI license. You need to generate an embed token by code for your end user.

Below is workloads to generate embed token: 

1.png

For reference:

 Work loads Embed token

Embed Token - Generate Token

As this blog mentioned, you need to configure RLS in desktop as normal, and then add rls parameters(identities) into codes when you generate embed token for end user.

You could change the PowerBI-Developer-Samples > .NET Framework > Embed for your customers > PowerBIEmbedded_AppOwnsData sample.

 

public EmbedToken GetEmbedToken(Guid reportId, IList<Guid> datasetIds, [Optional] Guid targetWorkspaceId)
    {
        PowerBIClient pbiClient = this.GetPowerBIClient();

        // Create a request for getting an embed token
        // This method works only with new Power BI V2 workspace experience
        var tokenRequest = new GenerateTokenRequestV2(
            reports: new List<GenerateTokenRequestV2Report>() { new GenerateTokenRequestV2Report(reportId) },
            datasets: datasetIds.Select(datasetId => new GenerateTokenRequestV2Dataset(datasetId.ToString())).ToList(),
            targetWorkspaces: targetWorkspaceId != Guid.Empty ? new List<GenerateTokenRequestV2TargetWorkspace>() { new GenerateTokenRequestV2TargetWorkspace(targetWorkspaceId) } : null,
            identities: new List<EffectiveIdentity> { rls }
        );

        // Generate an embed token
        var embedToken = pbiClient.EmbedToken.GenerateToken(tokenRequest);

        return embedToken;
    }

 

 

Best Regards,
Rico Zhou

 

If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

lbendlin
Super User
Super User

RLS comes in two flavors.

Roles based where you assign DAX rules to roles, and then assign users to roles. This assumes your users are already authenticated

Dynamic RLS where you use USERPRINCIPALNAME() to drive the DAX rules (or use the data model).  While this works with users who don't have a Power BI license, these users still need to have authenticated in a way that produces a result for USERPRINCIPALNAME()

 

In an App Owns Data scenario you have to implement the first version manually.  The users must present some sort of user id, but you can then decide how to map that to your RLS roles, most likely as part of your wrapper application that does your authentication.

Helpful resources

Announcements
April AMA free

Microsoft Fabric AMA Livestream

Join us Tuesday, April 09, 9:00 – 10:00 AM PST for a live, expert-led Q&A session on all things Microsoft Fabric!

March Fabric Community Update

Fabric Community Update - March 2024

Find out what's new and trending in the Fabric Community.

Top Solution Authors