Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Register now to learn Fabric in free live sessions led by the best Microsoft experts. From Apr 16 to May 9, in English and Spanish.

0
inayatkhan

BUG : Power BI is not executing the Roles of the Multidimensional Roles when using Direct connection

Submitted by on ‎05-09-2018 04:07 AM

BUG : Power BI  service is not executing the Roles of the Multidimensional Roles when using Direct connection via the Gateway.

 

The Power BI gateway is successfully set and the effective user name has identified the user connecting and the replacement of this with the Active Directory is working . As the report is showing the User name e.g "US\Elu". See highlighted in blue line.

 

This is a Power BI Gateway communicating to an on premise gateway communicating with Direct connect to the Analysis Services multidimensional cube. The server administrator is successfully connecting and as mentioned effective user name is passing the users AD account details through to Analysis services. 

 

Account Role not working in Power BI using direct connect with Gateway..PNG

 

The dynamic role is correctly filtering the customers to those authorised for the user when the user connects via Excel, In this case the list is limited to "Acronis"

 

Account Role working in Excel.PNG

 

However Power Bi is not executing the roles correctly as the report is returning all the customer and not the authorised one,e.g Acronis.  See Acronis and Airbus in yellow as well as all the other customers.

 

Account Role not working in Power BI using direct connect with Gateway..PNG

Finally when I build a report in Power BI desktop  and log in as US\Elu the report using direct connnect does respect the SSAS cubes role as it only returns the authorised customer "Acronis". So the code in the role is valid and works! As you can see below circled by a blue line.

 

Account Role working in Power BI Desktop.PNG

 

Please answer why the power BI service is not executing the roles when the report is run.

 

 

Status: Delivered
See more ideas labeled with:
5 Comments (5 New)
Comments
v-qiuyu-msft
Community Support
Community Support
‎05-09-2018 11:45 PM

Hi @inayatkhan,

 

1. From your description, it seems that you have used Map user names to replace the Power BI email address to a valid email, right? Please ensure corresponding UPN for this valid email address is not a SSAS administrator. 

 

2. Please use Test as role feature on Power BI service to validate the role: https://docs.microsoft.com/en-us/power-bi/service-admin-rls#validating-the-role-within-the-power-bi-...

 

3. Please update the on-premise data gateway to the latest version. 

 

Best Regards,
Qiuyun Yu 

inayatkhan
Frequent Visitor
‎05-10-2018 03:35 AM

Hi,

 

1. We are not using MAP user name. UPN is not a SSAS administrator

 

2. We do not wish to use Row Level security in Power Bi , when need to use the Multidimensional SSAS cube security roles. ( This is more powerful and less maintenance) 

 

3. We are on version 14.16.6670.1 (April 2018) which is the latest version.

 

So the issue remains that effective user name is being correctly passed to Analysis services, it is showing in the SQL profiler image below, and running under the Server administrator account. The effective user name is finding the AD account value to show in the report running on the azure Power BI service but the role is not work to restrict access. Note roles in the cube are working from Excel and from Power BI desktop.

 

SQL Profiler Showing NT account and Effectiver User Name USELu.PNG

v-qiuyu-msft
Community Support
Community Support
‎05-11-2018 01:24 AM

Hi @inayatkhan,

 

I would suggest you create a support ticket to get dedicated support. 

 

Support Ticket.gif

 

Best Regards,
Qiuyun Yu 

Vicky_Song
Impactful Individual
Impactful Individual
‎05-11-2018 01:26 AM
Status changed to: Delivered
 
inayatkhan
Frequent Visitor
‎05-23-2018 06:21 AM

Resolved ! 

The users had been placed in the AD local administrators group in order to allow remote access to the server, but once they were removed from this and placed in an AD group simply allowing remote access it was then possible to see that the effective user name was identified as the active directory user in the role and the SSAS role based security then worked.   All other steps in setting up the gateway had been correct. 

 

 

 

 

 

Idea Statuses