Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Register now to learn Fabric in free live sessions led by the best Microsoft experts. From Apr 16 to May 9, in English and Spanish.

Reply
opensky
Regular Visitor

Unable to get RLS security to work with an “app owns data” embedded PBI using Azure Analysis Service

‎06-22-2018 05:08 PM

Hello,

 

I am looking for some help getting RLS to work with embedded Power BI and AAS. Here is the scenario:

 

  1. Deploying as App-owns-data
  2. RLS setup with roles in AAS (RLS not configured in PBI)
  3. Power BI using a live connection to AAS
  4. Using Javascript to embed a Power BI report into a webpage

 

I verified that the roles are restricting data as expected by connecting to AAS using the Power BI client and Excel.

 

Able to successfully retrieve an access token from: https://login.microsoftonline.com/common/oauth2/token

 

Able to generate an embed token by hitting: https://api.powerbi.com/v1.0/myorg/groups/<groupId>/reports/<reportId>/GenerateToken

 

With the embed token I am able to successfully embed a report with no RLS applied.

 

However, when attempting to use identities to apply roles or customData to trigger RLS, the data doesn’t seem to pass through to AAS and the RLS is not applied.

 

I'm creating the embed token by hitting:

 

https://api.powerbi.com/v1.0/myorg/groups/<groupId>/reports/<reportId>/GenerateToken

 

With this data:

 

formData = {

  "accessLevel": "View",

  "identities": [

    {

     "username": userName,

     "roles": [ role ],

     "customData":customData,

     "datasets": [ datasetId ]

    }

  ]

}

 

Using the generated token doesn’t cause RLS to be applied when the report is embedded.

 

By adding the username and customData fields to a PBI report I can see that the username that AAS sees is the master account that is used for getting the access token, not the effective username passed in the identities payload. The customData value doesn’t show up in the report either.

 

I also tried the PowerBIEmbedded_AppOwnsData sample project from here: https://github.com/Microsoft/PowerBI-Developer-Samples/tree/master/App%20Owns%20Data/PowerBIEmbedded...

 

This sample project successfully embeds the report but when I select the “View as a different user” and add a user and role I get the following error:

 

{"error":{"code":"InvalidRequest","message":"Creating embed token for accessing dataset <id> requries effective identity username to be identical to the caller's principal name"}}

 

For additional reference, the dataset has the these properties set:

 

isRefreshable: false,

isEffectiveIdentityRequired: true,

isEffectiveIdentityRolesRequired: false,

isOnPremGatewayRequired: false

 

Any suggestions on what I am doing wrong? Thanks for any help!

Message 1 of 5
2,959 Views
0
4 REPLIES 4
v-jiascu-msft
Employee
Employee

‎06-26-2018 12:04 AM

Hi @opensky,

 

Please refer to embedded-row-level-security#working-with-analysis-services-live-connections. I think you can get the solutions there.

 

Best Regards,

Dale

Community Support Team _ Dale
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.
Message 2 of 5
2,920 Views
0
opensky
Regular Visitor
In response to v-jiascu-msft

‎06-26-2018 07:45 AM

Thank you for the response Dale. I did review that documentation before posting to this forum but have not been able to figure out what I am doing wrong.

 

I've seen conflicting messages in posts and in the MSFT documentation, can you confirm:

 

1. Are roles supported in Azure Analysis Services when using PBI embed tokens? (RLS not defined in PBI)

2. Is CustomData supported in Azure Analysis Services when using PBI embed tokens?

 

Thanks!

Message 3 of 5
2,908 Views
0
abhijitger
Regular Visitor
In response to opensky

‎08-03-2018 04:50 AM

 

Hi @opensky

 

There are a couple of settings that you need to get right . 

In the below representation of embed token "username" should always be the Master /service account which is a power bi pro account . The dataset in Power BI should be configured using this  account . 

"roles" attribute should contain the rolename that you have configured in your Azure AS model . 

"Customdata" attribute should contain the username for whom you want to process the report. 

 The DAX expression for the AS ROLE   should use CUSTOMDATA() function instead of USERNAME()

 

 

formData = {

  "accessLevel": "View",

  "identities": [

    {

     "username": master/Service account,

     "roles": [ rolename ],

     "customData":user@domain.com,

     "datasets": [ datasetId ]

    }

  ]

}

Message 5 of 5
2,810 Views
0
v-jiascu-msft
Employee
Employee
In response to opensky

‎07-10-2018 06:25 AM

Hi @opensky,

 

The documentation is quite clear.

1. Please refer to developer/embedded-row-level-security#considerations-and-limitations.

>>>Azure Analysis Services live connections support filtering by roles, but not dynamic by username. Dynamic filtering can be done using CustomData.

2. Please refer to the blue Note in embedded-row-level-security#working-with-analysis-services-live-connections.

>>>The CustomData feature will only work for models that reside in Azure Analysis Services, and it only works in live mode. Unlike users and roles, the custom data feature can't be set inside a .pbix file. When generating a token with the custom data feature you must a have user name.

 

Best Regards,

Dale

Community Support Team _ Dale
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.
Message 4 of 5
2,856 Views
0

Helpful resources

Announcements
Microsoft Fabric Learn Together

Microsoft Fabric Learn Together

Covering the world! 9:00-10:30 AM Sydney, 4:00-5:30 PM CET (Paris/Berlin), 7:00-8:30 PM Mexico City

PBI_APRIL_CAROUSEL1

Power BI Monthly Update - April 2024

Check out the April 2024 Power BI update to learn about new features.

April Fabric Community Update

Fabric Community Update - April 2024

Find out what's new and trending in the Fabric Community.

View All