04-24-2018 01:34 PM - edited 04-24-2018 03:49 PM
I am in the process of building a multi-tenant application that requires visualizations. I am exploring PowerBI embedded for this purpose. I cannot use Power BI's row level security as data from each tenant cannot be in proximity to another tenant's data.
Each client will have different data sources but will need access to the same PowerBI report template. The only difference between clients and their reports will be the data sources their report points to.
Here's how I am approaching this problem:
- Create a dedicated PowerBI Pro user.
- With that user, register a PowerBI Native App at dev.powerbi.com/apps
- Create a PowerBI Workspace
- In that Workspace, create a PowerBI Report to use as a template for all my customers.
- In my web application
- For each new client
- Create a Workspace
- Create PowerBI Datasets for the client
- Clone the Report template into the client Workspace and associate it with the Datasets created above.
- As new data comes in, update the PowerBI Datasets
- Use the GenerateToken method to create a token for their specific report. Embed this token and their report in the client's page.
- Use the Client ID created above and my dedicated PowerBI user's credentials to get Access Token.
- With this access token, use the PowerBI REST API to do the following:
- When the client requests the report...
My concerns with this approach are the following:
- The report doesn't have user level authentication with my application. Someone could just extract the embedded report URL/token and pass it along.
- I am duplicating the Report. If I need to make a change to the report format, I need to propagate that change to all the cloned Reports.
- I am polluting my Azure AD tenant with groups from the Workspaces (one Workspace per client). I'm not even sure I need the Workspaces.
- I need to track metadata for all my PowerBI Datasets and Reports. If I don't, I will not know which PowerBI Datasets are compatible with which PowerBI reports.
How does this approach sound? Are there more sensible alternatives for my desired result?
Any input would be greatly appreciated!
04-25-2018 11:23 PM
There are some limits with the current Power BI REST API.
So I am afraid currently there is no proper way to overcome some of your concerns.
1. For security concern, please consider add authentication to your Application,
2. You may take a look at the following blog, which may help in your scenario,
3. If each group represents a different tenant, it is recommendded to have it in different workspaces,
4. Consider set up Data Refresh, you could re-bind Power BI Reports to the proper dataset with the Rebind API:
04-27-2018 02:53 AM - edited 04-27-2018 02:54 AM