Skip to main content
cancel
Showing results for 
Search instead for 
Did you mean: 

Earn the coveted Fabric Analytics Engineer certification. 100% off your exam for a limited time only!

Reply
AndrewJohnBenja
Regular Visitor

Power BI Embedded Row Level Security

Hi,

 

My organisation is considering using Power BI and I have been tasked with looking into how we could integrate it into our solution. I have read a lot of online documentation and a fair few of the "Guy in a Cube" training videos. I guess I am looking for some advise on a recommended approach to embedding power bi into our solution.

 

We are looking to embed dashboards etc into our web application and therefore would be looking to use Power BI embedded; as we dont want the end user to be aware of or need individual power BI accounts to use it. We currently use keycloak as our authentication provider which issues JWTs to authenticated users (oAuth 2.0). The JWT will contain certain claims that restrict the data the user is able to view. As far as I can tell, there seems to be no way to re-use/issue such tokens to power BI so that we can restrict the data based on their claims.

 

What is the recommended approach to achieve this?

 

Would we need to re-create all of our users from keycloak in AAD?

How do I pass the users claims to Power BI and have the service filter the data based on those claims?

1 ACCEPTED SOLUTION

Hi Andy,

 

Since the "App Owns Data" only use one Power BI account, we can't identify the end users (your application users) with Power BI accounts.

1. No, the users are your application users. 

 

2. In one words, there is only one Power BI account in this scenario. The end users are identified by the tokens. So it won't work here that we assign roles in Power BI Service. Please refer to: #considerations-and-limitations.

>>>Assignment of users to roles within the Power BI service does not affect RLS when using an embed token.

 

3. Yes, if we assign roles to users in the Service, they must be Power BI users. But this won't be necessary in this scenario. Please refer to the item 2 above for reasons.

 

Best Regards,

Dale

Community Support Team _ Dale
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

View solution in original post

7 REPLIES 7
v-jiascu-msft
Employee
Employee

Hi @AndrewJohnBenja,

 

To be honest, I don't know much about Keycloak. But there is a solution provided by Power BI. One account (the master account) is needed. We also can apply RLS. Please refer to embed-sample-for-customers and developer/embedded-row-level-security

Regarding to your questions. 

1. The recommended approach is the official solution. Refer to the above links.

2. Only one Power BI Pro account is needed as the master account. As you said, the users won't be aware of the existence of Power BI.

3. Refer to the links above.

 

Best Regards,

Dale

 

Community Support Team _ Dale
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

Hi Dale,

 

I realise this is an old post but perhaps you can help me.

 

In our scenario we have  database with customer records of 15,000 customers.  When each customer logs in to our portal with Power BI embedded we want to show them only their own data and insure there is no 'hack' they can perform to get other customer data.  Using Javascript filters for example Customer ID would work but would not be secure.  

 

From what I can gather from previous posts and online documentation, we would need to create a role per customer and use that when generating the access token?  This is pretty cumbersome and admin heavy for 15,000 customers.  What if we have 100,000 customers?  The admin burden to go in every time to create a specific role per customer seems like an inefficient solution.  Perhaps we can create the role via an API for each customer as they login for the first time?  Are there any limits to the number of roles?

 

Is there a way to apply a filter on our server call for the token that is hidden from the client?

 

If I explain this from a standard Web App perspective.  We would know the user ID and we would retrieve data on the server for that user ID and return the data to the client.  With Power BI embeded though the Browser client is making the call ultimately so filters are visible.  

 

Many thanks for any advice

Hi,

 

Thanks for taking the time to reply, Much appreciated.

 

So, a few questions.

 

1. When generating an embed token via an embed token request, I have to supply a user and list of roles. Does that user have to exist in AAD?

2. Why do I need to supply a list of Roles with the embed token request? I have seen that roles are created and users are assigned to those roles through the power BI desktop/portal

3. When assigning users to roles through power BI, does that user have to exist in AAD?

 

Many Thanks

 - Andy

Hi Andy,

 

Since the "App Owns Data" only use one Power BI account, we can't identify the end users (your application users) with Power BI accounts.

1. No, the users are your application users. 

 

2. In one words, there is only one Power BI account in this scenario. The end users are identified by the tokens. So it won't work here that we assign roles in Power BI Service. Please refer to: #considerations-and-limitations.

>>>Assignment of users to roles within the Power BI service does not affect RLS when using an embed token.

 

3. Yes, if we assign roles to users in the Service, they must be Power BI users. But this won't be necessary in this scenario. Please refer to the item 2 above for reasons.

 

Best Regards,

Dale

Community Support Team _ Dale
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

Excellent. That answers my questions perfectly. 

 

Much Appreciated

 - Andy

In the Power BI embed solution I built I am using the Master User Approach.  This master user has full access to all reports in the Power BI tenant.  This means I only need one Power BI license.

 

Users to the application are setup in Azure, these can be internal or external users.  If you already have a list of users from another system you can do a bulk upload of users into Azure so this isn't an issue.

 

When users login to my app they are authenticated against Azure, once they are verified you have all the information needed for Row Level Security (RLS) to
only show the user the data they are allowed to see.


I have posted some examples:

https://www.podiumbi.com/powerbi-reporting-software/

 

 

AndrewJohnBenja
Regular Visitor

Hi,

 

My organisation is considering using Power BI and I have been tasked with looking into how we could integrate it into our solution. I have read a lot of online documentation and a fair few of the "Guy in a Cube" training videos. I guess I am looking for some advise on a recommended approach to embedding power bi into our solution.

 

We are looking to embed dashboards etc into our web application and therefore would be looking to use Power BI embedded; as we dont want the end user to be aware of or need individual power BI accounts to use it. We currently use keycloak as our authentication provider which issues JWTs to authenticated users (oAuth 2.0). The JWT will contain certain claims that restrict the data the user is able to view. As far as I can tell, there seems to be no way to re-use/issue such tokens to power BI so that we can restrict the data based on their claims.

 

What is the recommended approach to achieve this?

 

Would we need to re-create all of our users from keycloak in AAD?

How do I pass the users claims to Power BI and have the service filter the data based on those claims?

Helpful resources

Announcements
April AMA free

Microsoft Fabric AMA Livestream

Join us Tuesday, April 09, 9:00 – 10:00 AM PST for a live, expert-led Q&A session on all things Microsoft Fabric!

March Fabric Community Update

Fabric Community Update - March 2024

Find out what's new and trending in the Fabric Community.