Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Register now to learn Fabric in free live sessions led by the best Microsoft experts. From Apr 16 to May 9, in English and Spanish.

Reply
Recce
New Member

On-Premise Gateway data source account seems to require Local Admin on the Server to refresh

‎02-26-2021 11:23 AM

I have an on-premise data gateway connecting to an on-premise SSAS 2019. I've been able to get it to work, but only by adding the account used to connect to the SSAS (ie. the credentials setup in the data source on the gateway) to the Local Administrators group on the SSAS server. I'd prefer it if this wasn't necessary and I had a setup with more mininal permissions.

 

The setup is as follows:

  • The SSAS Service is running under a domain user account.
  • The gateway is clustered and running as the NT Service account. 
  • The account (GatewayReader) used in the data source on the gateway is an Admin for SSAS service. I have also added the account into the Windows Authorization Access (WAA) group in the Active Directory.

When attempting to refresh a PowerBI dataset configured to connect to the SSAS through the on-premise data gateway, I get following error:

the AnalysisServices: XML for Analysis parser: The 'ST@Ranger.com' value of the 'EffectiveUserName' XML for Analysis property is not valid.

 

When I add the GatewayReader account into the Local Administrators group of the SSAS server, then it works. What permissions / privilages should I give the GatewayReader account so that it no longer has to be a Local Admin?

 

Thanks in advance

Labels:
Message 1 of 6
1,095 Views
0
1 ACCEPTED SOLUTION
Recce
New Member

‎03-01-2021 03:28 PM

Misunderstanding on my part. The acccount the SSAS service is running under needs to belong to Windows Authorization Access group in Active Directory, not the GatewayReader in my example above.

 

Strangely this group assignment isn't required when the client is on the internal network / domain, but is required in the cross domain scenario of having the client being the PowerBI cloud service connecting to the on-premise gateway. There's proably something else at play here that I don't understand. 

View solution in original post

Message 6 of 6
1,005 Views
0
5 REPLIES 5
Recce
New Member

‎03-01-2021 03:28 PM

Misunderstanding on my part. The acccount the SSAS service is running under needs to belong to Windows Authorization Access group in Active Directory, not the GatewayReader in my example above.

 

Strangely this group assignment isn't required when the client is on the internal network / domain, but is required in the cross domain scenario of having the client being the PowerBI cloud service connecting to the on-premise gateway. There's proably something else at play here that I don't understand. 

Message 6 of 6
1,006 Views
0
lbendlin
Super User
Super User

‎03-01-2021 06:08 AM

That's exactly our problem too. Nobody can tell me if the Discover permission can be given to a non-admin role. Do you have any advice on that?

Message 4 of 6
1,041 Views
0
Recce
New Member
In response to lbendlin

‎03-01-2021 06:48 AM

Speaking from a position of ignorance (I'm woefully lack experience in the SSAS and PowerBI space), I don't see the SSAS Admin role as big a problem / security risk as I thought it was going to be because of the EffectiveUserName property. 

 

We currently has a SSAS multi-dimensional model and have setup a data source on the on-premise gateway for it. Any report author who attempts to refresh their data set using the gateway will find that the refresh is completed using the Admin creds impersonating the owner of the data set, via the EffectiveUserName property. They will not be able to populate the data set with any data / measure that the owner of the data set does not have permissions for. 

 

I would prefer to not the give the account SSAS Admin role, but I don't see a way around that. As the account is performing impersonation (within the scope of SSAS), the account is always going to be privileged within SSAS. Until Microsoft provides an actual SSO credential type connection for SSAS, as they have done for SQL Server, I don't see a viable alternative. 

 

But it should be possible for the gateway to leverage EffectiveUserName property without us having to grant Local Admin on the server. 

Message 5 of 6
1,032 Views
lbendlin
Super User
Super User

‎02-27-2021 03:53 PM

The account needs Read and Discover privileges.

Message 2 of 6
1,072 Views
0
Recce
New Member
In response to lbendlin

‎03-01-2021 01:53 AM

The account is an Administrator for the SSAS service and so will have Discover and Read permissions through that. The permissions that I'm hoping to "trim" is the account being a Local Administrator of the actual server. A member of the Windows Local Administrators group

Message 3 of 6
1,051 Views
0

Helpful resources

Announcements
Microsoft Fabric Learn Together

Microsoft Fabric Learn Together

Covering the world! 9:00-10:30 AM Sydney, 4:00-5:30 PM CET (Paris/Berlin), 7:00-8:30 PM Mexico City

PBI_APRIL_CAROUSEL1

Power BI Monthly Update - April 2024

Check out the April 2024 Power BI update to learn about new features.

April Fabric Community Update

Fabric Community Update - April 2024

Find out what's new and trending in the Fabric Community.

View All
Top Solution Authors
View All
Top Kudoed Authors
View All