Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Register now to learn Fabric in free live sessions led by the best Microsoft experts. From Apr 16 to May 9, in English and Spanish.

Reply
programthings
Frequent Visitor

Power Bi Embedded Dynamic Row Filtering with SQL Server and App Owns Data

‎04-19-2021 06:23 AM

tl;dr all of this already works so why doesn't the api endpoint support passing parameters to the role instead of requiring manual definition unless i'm just not finding the documentation of how row level filtering on a column is supposed to be achieved?

 

 

As my subject mentions, I am using the "App Owns Data" to embed reports for my customers. The data is stored in a SQL Server database. 
I am using RLS and want to be able to do it dynamically. So that a finished report doesn't need to be updated with new role information as customers are added or removed. I just want to be able to filter a column with one or more values in the embed token itself for obvious security reasons.

I am able to acheieve this manually  by creating the role as shown in my attached image. The role name is the same as the value name since they are unique to each of my customers.

programthings_0-1618838337946.png

 

 

So obviously this is achievable, but the 2 dynamic solutions to this i've been able to find require paying extra for Azure Analysis Services or make my customers have to create their own accounts with microsoft which means that microsoft now receives my individual customer data which seems to fly in the face of the "App Owns Data" intention.

The On-Premises Gateway connector clearly supports the ability to filter columns since it works via the manual way!

This leads me to believe I must just be unable to find the instructions of how to specify a column and array of values to filter it at the point of token creation, because everything thing needed to accomplish this is already in use!


Create a function called apiParameters() which can be used similarly to username() and userprincipalname()

"Role Name" [Column] = "manual string"

would be

"Role Name" [Column] = apiParameters()

 

request body would look like this...

 

...
  "identities": [
    {
      "username": "john@contoso.com",
      "roles":  [
        "RoleExpectingParameters": [
          "Param1",
          "Param2"
        ],
        "ManuallyCreatedRole" 
      ],
      "datasets": [
        "cfafbeb1-8037-4d0c-896e-a46fb27ff229"
      ]
    }
  ]
...

 

This would also ensure parameters couldn't be passed unless the report designer intended for that to be allowed by creating a role with apiParameters() as the value

Message 1 of 2
244 Views
0
1 REPLY 1
v-yiruan-msft
Community Support
Community Support

‎04-21-2021 12:46 AM

Hi @programthings ,

Based on my investigation, we can use DAX function USERNAME() or UserPrincipalName() or the CUSTOMDATA() function to implement dynamic RLS when the models with live connection mode that lie in Azure Analysis Services can use, I have not been able to find other way to achieve.  It must be a function or property that Power BI can recognize if use apiParameters to implement dynamic RLS. . .

Power BI Embedded: Convention-based dynamic Row-level Security

Working with Analysis Services live connections

Best Regards

Community Support Team _ Rena
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.
Message 2 of 2
189 Views
0

Helpful resources

Announcements
Microsoft Fabric Learn Together

Microsoft Fabric Learn Together

Covering the world! 9:00-10:30 AM Sydney, 4:00-5:30 PM CET (Paris/Berlin), 7:00-8:30 PM Mexico City

PBI_APRIL_CAROUSEL1

Power BI Monthly Update - April 2024

Check out the April 2024 Power BI update to learn about new features.

April Fabric Community Update

Fabric Community Update - April 2024

Find out what's new and trending in the Fabric Community.

View All