We have an on-prem SQL Server 2016 (latest SP) with a tabular model that we access via the on-prem data gateway. As a test for row-based level security, we are trying to send an external user as the effective user ID, but that does not seem to work. Basiclly I added a user (e.g. firstname.lastname@example.org) and sending that user as the effective user id returns an access denied error. If we pass an existing Windows account (i.e. an Active Directory user) then it works as expected.
I wonder if Power BI would ever work with external users specified in an SSAS tabular model?
Is the test user(external) a B2B collaboration user in your organization? According to this documentation, the external users can be added with this feature should be B2B collaboration users that have been added to your organization.
In this sample, a B2B external user and a group are added to the Analyst role with Read permissions for the SalesBI database. Both the external user and group must be in same tenant Azure AD.
Thank you so much for providing us with this additional documentation.
No, the user is not B2B. But I am not sure if that would work either because having an external user in our Azure AD does not mean that that user would exist in our on-prem AD. Bear in mind that, as per my original post, this is an on-prem implementation of SSAS which authenticate users within our on-prem Active Directory.
I wonder if the Power BI gteway automatically forwards external users in the taxonomy of their correspondent shadow account in the AD -- even if not the AD in Azure (that is, an AD on prem). So for example if I log-in as email@example.com, it effectively forwards john_example.com#EXTfirstname.lastname@example.org. So I have created this account in my local AD and I have added it into a role in a test tabular model. I'll revert back on my tests later on.
If it does not, then we'll develop a solution around shadow accounts.