Skip to main content
cancel
Showing results for 
Search instead for 
Did you mean: 

Earn the coveted Fabric Analytics Engineer certification. 100% off your exam for a limited time only!

Reply
zdehanzal
Regular Visitor

Dataset with organizational account not passing user credentials dynamically

Hello,

 

we have a google bigquery dataset (datasource) published with direct query mode with oauth authentication method and organizational account as type and RLS set on datasource side (in bigquery) using user UPN.

It works fine for the person who published the dataset (as its using its credentials and security is applied on BQ correctly) but for other people running reports using this dataset they still see the data for the user publishing the dataset so the creentials asre not passed dynamically.

WE would expect it will pass their orgnaizational info (UPN) and apply RLS on datasource level.

 

"

The answer depends on whether you're importing data or using DirectQuery. If you're importing data into your Power BI dataset, the security roles in your data source aren't used. In this case, you should define RLS to enforce security rules for users who connect in Power BI. If you're using DirectQuery, the security roles in your data source are used. When a user opens a report Power BI sends a query to the underlying data source, which applies security rules to the data based on the user's credentials.

"

https://docs.microsoft.com/en-us/power-bi/guidance/whitepaper-powerbi-security

 

Regards

1 ACCEPTED SOLUTION

Credentials passthrough is only supported on SSAS data sources. For everything else you need to use RLS.

View solution in original post

4 REPLIES 4
zdehanzal
Regular Visitor

Hello,

 

what we actually want to achieve is to use RLS defined on our datasource which is bigquery.

We have secured view using UPN (passed via oauth).

ITs working fine with other BI tools but in powerbi we are using organizational account configured but the security on datasource level does not work. The data are not filter on the datasource for people running  the report using their credentials, their account is not being passed via the connection to the datasource to filte rthe table view.

 

Regards

Zdenek

v-jingzhang
Community Support
Community Support

Hi @zdehanzal 

 

If you want to apply RLS in Power BI, you need to first define RLS roles and rules in Power BI Desktop. After publishing the dataset into Power BI Service, open the workspace where you saved the dataset and add security members to RLS roles on the model. Below are steps for adding members to RLS roles. 

 

  1. In the Power BI service, select the More options menu for a dataset. This menu appears when you hover on a dataset name, whether you select it from the navigation menu or the workspace page.

  2. Select Security. Security will take you to the Role-Level Security page where you add members to a role you created in Power BI Desktop. Only the owners of the dataset will see Security. If the dataset is in a Group, only administrators of the group will see the security option.

  3. Add a member to the role by typing in the email address or name of the user or security group. You can use the following groups to set up row level security.

    • Distribution Group
    • Mail-enabled Group
    • Security Group

    Note, however, that Office 365 groups are not supported and cannot be added to any roles.

 

Additionally, for the dataset owner (the person who published the dataset), RLS will not be applied to him. If the dataset is in a new workspace, the RLS roles are applied to members who are assigned to the Viewer role in the workspace. Workspace members assigned AdminMember, or Contributor have edit permission for the dataset and, therefore, RLS doesn’t apply to them. If you want RLS to apply to people in a workspace, you can only assign them the Viewer role.

 

For more details about RLS settings, please refer to Row-level security (RLS) with Power BI - Power BI | Microsoft Docs

 

In your scenario, you have defined security roles in the datasource and connected to it using DirectQuery. For the person who published the dataset, the RLS rules in Power BI model won't work. The rules in the datasource will work. For other report users, ensure that they only have read (or viewer) permission on the report. And add them as members to the security roles in Power BI Service. 

 

Below FAQ should be helpful:

 

Question: My data source already has security roles defined (for example SQL Server roles or SAP BW roles). What is the relationship between these and RLS?
Answer: The answer depends on whether you're importing data or using DirectQuery. If you're importing data into your Power BI dataset, the security roles in your data source aren't used. In this case, you should define RLS to enforce security rules for users who connect in Power BI. If you're using DirectQuery, the security roles in your data source are used. When a user opens a report Power BI sends a query to the underlying data source, which applies security rules to the data based on the user's credentials.

Restrict data access with row-level security (RLS) for Power BI Desktop - Power BI | Microsoft Docs

 

Best Regards,
Community Support Team _ Jing
If this post helps, please Accept it as Solution to help other members find it.

actually when setting up the organizational account we would expect when user is login in pwoerbi service and running the report it would be sending the report queries using his account/credentilas.

Instead it looks its always using the organizational account which publish the dashbaord/dataset from powerbi desktop so not being dynamic on the datasouce published.

Credentials passthrough is only supported on SSAS data sources. For everything else you need to use RLS.

Helpful resources

Announcements
April AMA free

Microsoft Fabric AMA Livestream

Join us Tuesday, April 09, 9:00 – 10:00 AM PST for a live, expert-led Q&A session on all things Microsoft Fabric!

March Fabric Community Update

Fabric Community Update - March 2024

Find out what's new and trending in the Fabric Community.

Top Solution Authors
Top Kudoed Authors