Solved: Power BI Embedded with Row-Level Security?

kevhav · ‎05-18-2016

Help! We are looking into Power BI to see if it would work to replace our current enterprise BI solutions.

We have a Web-based client portal. We would like to use the new Power BI Embedded to embed a Power BI report in the client portal, for our clients. We have hundreds (or maybe even thousands) of clients who use our client portal. We would like to create and maintain a single, standard "client report" to embed in the client portal for each of our clients. But of course, when a given client logs in to our client portal, we only want the report to include data related to that client -- that is, we want "row-level security" (RLS)—or something like it—to be applied to this Embedded reports.

Is there any way to do this? If so, could somebody please explain how?

We have looked through the Power BI Embedded API documentation, and we are not sure. For example, our client portal would generate an app token; within the app token, can there be some information to identify who the user is, or what the client ID is, so that Power BI can apply RLS accordingly? Or is there some other mechanism?

Thanks!

kevhav · ‎07-11-2016

I see this has been implemented...

https://azure.microsoft.com/en-us/documentation/articles/power-bi-embedded-rls/

Thank you, Power BI team!

View solution in original post

kevhav · ‎07-11-2016

I see this has been implemented...

https://azure.microsoft.com/en-us/documentation/articles/power-bi-embedded-rls/

Thank you, Power BI team!

VishvaPowerBI · ‎08-28-2016

Hi , Is the sample code shown in the link working. I am talking abt code under the topic -- "Embed a Power BI report with in iFrame" (in the page How to use Power BI Embedded with REST) . the code located at the very bottom of the page with PHP code (start with

<?php
    // 1. power bi access key    $accesskey = "MpaUgrTv5e...";

    // 2. construct input value    $token1 = "{" ...

I changed access key, and other values and report id as well but it just display

This content is not available.
Learn more about Power BI.

Pls help...

nimishr · ‎10-29-2017

Hi Guys,

Just wondering if there has been any update to this? We are evaluating Embedded for a client and they need RLS. The forum discussion is very inconclusive.

Thanks in anticipation,

Nimish

gilbertocrespo · ‎10-30-2017

Maybe this content bellow may help you. It was updated on October 9, 2017.

https://powerbi.microsoft.com/en-us/documentation/powerbi-developer-embedded-rls/

shy9010 · ‎07-17-2016

Hi Kevhav

We are in exactly the same position as yourself in that we have a client portal who are authenticated through Azure Active Directory and when successful azure pass a bearer authentication token. I would very much like to authenticate our users using this token so the data pulled back will only be for them.

Have you got this implemented and got it working and if so would be great to know if you got row level security working for multi tenants.

Thanks

kevhav · ‎07-18-2016

Haven't implemented it yet, no. But we are considering it for future functionality, for our external consumers of reports.

kevhav · ‎06-02-2016

Thanks @higgim, that makes sense.

I'm confident that RLS is coming, soon enough, to Power BI Embedded.

What I wish I could find out now is how RLS/authentication will work, and whether there is an API for user management, so that we can automatically sync users of our client portal to Power BI Embedded users.

This says that Power BI Embedded and its "app token" model "does not require your app to use Azure Active Directory for user authentication and authorization, although you can do this."

So, I'm guessing that RLS for Power BI Embedded will mean setting up RLS roles/rules, and then adding Azure AD users as members to those roles. Then, the Power BI Embedded app token API will be extended to include an Azure AD user ID, or user name, so that Embedded knows how to apply RLS.

Can anyone from Microsoft confirm that the above is what will be released?

Then, our app—our "client portal"—does not use Azure Active Directory for user authentication and authorization. But I'm hoping that Azure AD has an API that would allow us to automatically sync our Azure AD with our set of client portal users. (Then, we could store each user's Azure AD user ID/user name in our client portal, in order to pass it along with the app token.)

Azure Active Directory Graph API appears to be such an API, for managing users in Azure AD. Right? Assuming RLS for Embedded will work as I have guessed at (above), then would anyone agree, or disagree, that using the Azure AD "Graph API" is a good solution for syncing Azure AD with our client portal users, to enable the passing of app tokens that include the Azure AD user ID/user name?

I wish I had the patience to "just wait and see," but we would really like to understand how Power BI Embedded with RLS will work, ASAP, in order to move forward with implementing Power BI across our organization -- as both an internal BI solution, and as a way to provide reports to our clients. Thanks!

kevhav · ‎06-02-2016

And, our internal users would be Power BI users, with Power BI Pro licenses via Office 365. They would not be Azure AD users.

Will our Power BI tenant—including RLS functionality—play nice with both our internal users (Power BI users) and our external users (recipients of Power BI Embedded reports, with RLS using Azure AD)?

kevhav · ‎06-02-2016

Also, to be sure, I'm assuming that if we would be adding all of our "client portal" users as Azure Active Directory users—for the purpose of delivering Power BI Embedded reports with RLS—then there would be no cost for Azure AD licenses for those users. For example, they would have "Azure Active Directory Free edition." Right?

higgim · ‎06-02-2016

We had a very similar problem. The only workaround we have at the moment is as follows:

Create Power BI Embedded workspaces for each of our customers. (One set of core reports for all customers)

Our reporting data is held in Azure SQL Databases with Row Level Security enabled.

The web app uses the user name and reads from a database table to tell the app which PowerBI workspace we should be connecting to (Workspace name, access key etc)

Each workspace connects to the database using a certain set of credentials which is used as part of RLS at the database level and therefore only returns the relevant customer data.

Not an ideal workaround but acceptable presently.

Anonymous · ‎05-19-2016

Fast forward to the Q&A in the video mentioned here

http://community.powerbi.com/t5/Developer/Power-BI-Embedded-access-control/m-p/27332

They are working on it.

kevhav · ‎05-23-2016

I did review that video, and heard from other channels that it is on the roadmap to have RLS with Power BI Embedded.

If anyone can say how this is being implemented, it would be much appreciated, so that we can anticipate and plan for how our integration might work.

For example, will I maintain some set of "Power BI Embedded users," separate from my set of internal users? And the app token will indicate who the user is? And those "Power BI Embedded users" can be put into roles, with rules, for RLS?

If so, will there be an API for creating/modifying/deleting "Power BI Embedded users" using the app in which we are embedding Power BI Embedded reports?

That's just a guess of how it might work, but...?

kevhav · ‎05-18-2016

Got it, thanks @Greg_Deckler

Any recommendations for a solution to this?

The simple solution might be: for each client, build one customized report containing data for only that client; and build an Azure workspace collection. But it seems like that would be a lot of duplicate work for hundreds or thousands of clients.

Greg_Deckler · ‎05-18-2016

Yes, more or less, building out a group workspace/workspace collection, data set and report with only that customer's data has basically been the only avenue up until RLS came along, which is not scalable at all. You could leverage RLS in the Power BI Service and simply iframe the report but that has its own flaws.

Bottom line, RLS coupled with Power BI Embedded is a complete and utter game changer.

@ me in replies or I'll lose your thread!!!
Instead of a Kudo, please vote for this idea
Become an expert!: Enterprise DNA
External Tools: MSHGQM
YouTube Channel!: Microsoft Hates Greg
Latest book!: The Definitive Guide to Power Query (M)

DAX is easy, CALCULATE makes DAX hard...

Greg_Deckler · ‎05-18-2016

I don't believe that Power BI Embedded currently supports RLS.

I have posted the Idea here:

https://ideas.powerbi.com/forums/265200-power-bi-ideas/suggestions/13892325-support-rls-for-power-bi...

Go vote for it! In my opinion, this would be an optimal solution for a huge number of business cases!

@ me in replies or I'll lose your thread!!!
Instead of a Kudo, please vote for this idea
Become an expert!: Enterprise DNA
External Tools: MSHGQM
YouTube Channel!: Microsoft Hates Greg
Latest book!: The Definitive Guide to Power Query (M)

DAX is easy, CALCULATE makes DAX hard...

Power BI Embedded with Row-Level Security?

Helpful resources

Microsoft Fabric Learn Together

Power BI Monthly Update - April 2024

Fabric Community Update - April 2024