cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
detlev Regular Visitor
Regular Visitor

I would like to have some detailed information about PBI security towards on premise SSAS mode

PBI sessions are initiated with a O365 account of the user who start powerbi.com, which is 'the same' account as on premise. The stored gateway datasource credentials are then used to connect to the SSAS server. Am I right so far?

 

But I guess the SSAS engine still retrives the original user account to check if this enduser is part of a read role in the SSAS model and to be used in DAX for RLS, etc..

 

How does this work? And in which stage the user credentials are passed to the model? Where can I find more detailed information on this topic?

 

I use Extended Events sessions on premise SSAS server to audit detailed information on sessions, logins, logouts and queries but most of the time I see the stored gatawaydatasourcecredentials rather than the enduser which is querying the models.

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Moderator v-yuezhe-msft
Moderator

Re: I would like to have some detailed information about PBI security towards on premise SSAS mode

@detlev,

Do you connect to SSAS in Power BI using a "Connect Live" mode?

Dynamic RLS only works with live connection, and in this case, Power BI uses the effectiveusername property to send the current Power BI user credential to the on-premises SSAS data source to run the queries. The email address that used to sign in Power BI with is passed to Analysis Services as the effective user.  You can use SQL Profiler to capture the background process.

Reference:
https://docs.microsoft.com/en-us/power-bi/desktop-tutorial-row-level-security-onprem-ssas-tabular



Regards,
Lydia

Community Support Team _ Lydia Zhang
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.
1 REPLY 1
Highlighted
Moderator v-yuezhe-msft
Moderator

Re: I would like to have some detailed information about PBI security towards on premise SSAS mode

@detlev,

Do you connect to SSAS in Power BI using a "Connect Live" mode?

Dynamic RLS only works with live connection, and in this case, Power BI uses the effectiveusername property to send the current Power BI user credential to the on-premises SSAS data source to run the queries. The email address that used to sign in Power BI with is passed to Analysis Services as the effective user.  You can use SQL Profiler to capture the background process.

Reference:
https://docs.microsoft.com/en-us/power-bi/desktop-tutorial-row-level-security-onprem-ssas-tabular



Regards,
Lydia

Community Support Team _ Lydia Zhang
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.