Are you using the App-Owns-Data model or the User-Owns-Data model?
If you are suing the App-Owns-Data model you must generate an embed token with an EffectiveIdentity to map your user to a UserName and one or more roles. If you are using the User-Owns-Data and UserName is passed autoamtically and you must map each users to their RLS roles in the Power BI service.
In either case you can use dynamic RLS with a Users table and a UserPermissions table. Can you be more specific about what you are trying to accomplish?
I am using User-Owns-Data to implement my requirement.
I have successfully implemented displaying reports list based on workspace/group id and able to display report data when user click on particular report from the list. This is working as expected.
Now, I have to apply Row Level Security for the reports. i.e., based on the role of the user, report data to be filtered and only reports should be displayed based on filtered data. I have tried but didn't get a solution for this.
Please see below screenshot of code to give you an idea how I am getting access token from authentication result. I am using the access token to get reports list and to display individual report.
Lines of code to get Access TokenCode to get reports list using generated Access TokenCode to get selected report data using generated Access Token
I think I need to make changes in code. But I would require your help to get this sorted. Thanks
If you are using User-Owns-Data then there is much less work to do. When using App-Owns-Data you must programatically generate an embed code with the RLS roles inside. But with User-Owns-Data, all of RLS is configured external to your applation.
Here are the basic steps.
Add RLS roles to your Power BI Desktop project
Publish the Power BI Desktop project to an app workspace
In the Power BI Service, configure the users and groups for each role.
Use Power BI embedding using the Azure AD access token created for each user.
At this point, RLS should work and Power BI embedding should only display the data for each user based on the role(s) they are in. I think you should be able to accomplsh this without any changes to your current application.