Register now to learn Fabric in free live sessions led by the best Microsoft experts. From Apr 16 to May 9, in English and Spanish.
Hello,
I am looking for some help getting RLS to work with embedded Power BI and AAS. Here is the scenario:
I verified that the roles are restricting data as expected by connecting to AAS using the Power BI client and Excel.
Able to successfully retrieve an access token from: https://login.microsoftonline.com/common/oauth2/token
Able to generate an embed token by hitting: https://api.powerbi.com/v1.0/myorg/groups/<groupId>/reports/<reportId>/GenerateToken
With the embed token I am able to successfully embed a report with no RLS applied.
However, when attempting to use identities to apply roles or customData to trigger RLS, the data doesn’t seem to pass through to AAS and the RLS is not applied.
I'm creating the embed token by hitting:
https://api.powerbi.com/v1.0/myorg/groups/<groupId>/reports/<reportId>/GenerateToken
With this data:
formData = {
"accessLevel": "View",
"identities": [
{
"username": userName,
"roles": [ role ],
"customData":customData,
"datasets": [ datasetId ]
}
]
}
Using the generated token doesn’t cause RLS to be applied when the report is embedded.
By adding the username and customData fields to a PBI report I can see that the username that AAS sees is the master account that is used for getting the access token, not the effective username passed in the identities payload. The customData value doesn’t show up in the report either.
I also tried the PowerBIEmbedded_AppOwnsData sample project from here: https://github.com/Microsoft/PowerBI-Developer-Samples/tree/master/App%20Owns%20Data/PowerBIEmbedded...
This sample project successfully embeds the report but when I select the “View as a different user” and add a user and role I get the following error:
{"error":{"code":"InvalidRequest","message":"Creating embed token for accessing dataset <id> requries effective identity username to be identical to the caller's principal name"}}
For additional reference, the dataset has the these properties set:
isRefreshable: false,
isEffectiveIdentityRequired: true,
isEffectiveIdentityRolesRequired: false,
isOnPremGatewayRequired: false
Any suggestions on what I am doing wrong? Thanks for any help!
Hi @opensky,
Please refer to embedded-row-level-security#working-with-analysis-services-live-connections. I think you can get the solutions there.
Best Regards,
Dale
Thank you for the response Dale. I did review that documentation before posting to this forum but have not been able to figure out what I am doing wrong.
I've seen conflicting messages in posts and in the MSFT documentation, can you confirm:
1. Are roles supported in Azure Analysis Services when using PBI embed tokens? (RLS not defined in PBI)
2. Is CustomData supported in Azure Analysis Services when using PBI embed tokens?
Thanks!
Hi @opensky
There are a couple of settings that you need to get right .
In the below representation of embed token "username" should always be the Master /service account which is a power bi pro account . The dataset in Power BI should be configured using this account .
"roles" attribute should contain the rolename that you have configured in your Azure AS model .
"Customdata" attribute should contain the username for whom you want to process the report.
The DAX expression for the AS ROLE should use CUSTOMDATA() function instead of USERNAME()
.
formData = {
"accessLevel": "View",
"identities": [
{
"username": master/Service account,
"roles": [ rolename ],
"customData":user@domain.com,
"datasets": [ datasetId ]
}
]
}
Hi @opensky,
The documentation is quite clear.
1. Please refer to developer/embedded-row-level-security#considerations-and-limitations.
>>>Azure Analysis Services live connections support filtering by roles, but not dynamic by username. Dynamic filtering can be done using CustomData.
2. Please refer to the blue Note in embedded-row-level-security#working-with-analysis-services-live-connections.
>>>The CustomData feature will only work for models that reside in Azure Analysis Services, and it only works in live mode. Unlike users and roles, the custom data feature can't be set inside a .pbix file. When generating a token with the custom data feature you must a have user name.
Best Regards,
Dale
Covering the world! 9:00-10:30 AM Sydney, 4:00-5:30 PM CET (Paris/Berlin), 7:00-8:30 PM Mexico City
Check out the April 2024 Power BI update to learn about new features.
User | Count |
---|---|
14 | |
2 | |
2 | |
1 | |
1 |