cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
pushkarajb
Frequent Visitor

Azure Analysis Services authentication

Hi,

 

We are trying to set up a new Azure Analysis Services(AAS) model which will be locked down only to a small set of report developers as it will contain sensitive data.

These report developers should be able to connect to the model and build their own reports and publish them to the Power BI service. If they share the reports with end-users(report viewers), the latter should be able to view the reports. However, these report viewers should not be able to connect directly to the model via Power BI Desktop.

 

If we were to add a READ-only role on the model, and add only report developers to that role, report viewers would not be able to see the data when reports have been shared with them.

If we were to add report viewers as well to the role, they would be able to see the data in the reports but that would also enable them to SEE the model and create their own reports via Power BI Desktop(AAS connector), if they somehow managed to get the AAS server name.

 

This link states that:
When connecting from Power BI to Azure Analysis Services, you are connected as your Azure Active Directory identity. This is the same identity as you would have used to sign into Power BI. If you share the report to any other users, you must ensure those users have access to your model.

 

Isn't there a way to use something like a service account for authentication. If there is a way to do so, then I imagine that we only need to add the service account and the report developers' accounts to the database role on the AAS model. Then set up a Power BI gateway and add the AAS model as a datasource along with the service account's credentials.

This way, report develoeprs will be able to author reports in Power BI Desktop and publish to the Power BI service using their personal credentials.

When the reports have been shared, report viewers will be able to see the data, assuming the authentication happens via the service account credentials on the gateway. However, they will not be able to create reports via Power BI Desktop as their personal credentials would not have access to the model.

 

Thank you for reading the lengthy post. Would really appreciate if someone could give pointers to solve this problem. Thanks in advance!

5 REPLIES 5
pushkarajb
Frequent Visitor

Hi Stephen,

 

Sorry for the delay in getting back to you. We are really looking for something that will help us enable a service account-based authentication for the AAS model so that report developers can query the model and build reports without any restriction using the service account, whereas report viewers should be able to SEE the data in the shared reports based on the generic service-account authentication (and not via their individual identities).

 

Regards,

Pushkaraj

v-stephen-msft
Community Support
Community Support


Hi @pushkarajb ,


Sorry to disturb you...


But did I answer your question ? Please mark my reply as solution. Thank you very much.

 

 


Best Regards,
Stephen Tao

pushkarajb
Frequent Visitor

Hi Stephen,

 

Many thanks for your response! I agree that security can be managed at the Power BI Service level.

However, if all users are provided READ access to the Tabular model in AAS, they will be able to see and query the model via Power BI Desktop.

As the data is very sensitive, we want to restrict access to the model to only specific report developers and not report viewers.

Hi @pushkarajb ,

 

I think you may need Row-level security (RLS) to restrict data access.

 

However, for Analysis Services or Azure Analysis Services lives connections, you configure Row-level security in the model, not in Power BI Desktop. 

 

Reference: https://docs.microsoft.com/en-us/power-bi/admin/service-admin-rls

 

 

Best Regards,

Stephen Tao

 

If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

v-stephen-msft
Community Support
Community Support

Hi @pushkarajb ,

 

If you select Allow users to build new content using the underlying datasets, they can create their own reports in other workspaces based on the dataset for this dashboard. Read more about creating reports based on datasets from different workspaces.

1.png

 

And if you want to see who has access to a dashboard or report, in the list of dashboards and reports, or in the dashboard or report itself, select Share.

2.png

 

 

For more information, you can refer to:

https://docs.microsoft.com/en-us/power-bi/collaborate-share/service-share-dashboards

 

 

 

Best Regards,

Stephen Tao

 

If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

Helpful resources

Announcements
PBI User Groups

Welcome to the User Group Public Preview

Check out new user group experience and if you are a leader please create your group

April Update

Check it Out!

Click here to read more about the April 2021 Updates!

MBAS Carousel

Sign up for our May 4th event!

May the fourth be with you, join us online!

secondImage

The largest Power BI virtual conference

100+ sessions, 100+ speakers, Product managers, MVPs, and experts. All about Power BI. Attend online or watch the recordings.

Top Solution Authors
Top Kudoed Authors