Register now to learn Fabric in free live sessions led by the best Microsoft experts. From Apr 16 to May 9, in English and Spanish.
I have connected to BW via a Bex query to create a data set and published to the service. Then power users (read write share) can connect to that data source in Power bi as a shared data set. They create content and share with other users (read only). The problem I have is the read only users are able to see the same view I have when I created the shared data set.
How do we make users enter their credentials to pass through RLS that works when connecting with test users directly from the desktop to the Bex query?
Thanks
Jon
Hi @jpt1228 ,
When you go to the share in the dataset what access do those users have? And, in the Service, do you have the RLS setup in the security with named userids? If so, that should resolve it - they sign into Power BI service and then they get the permissions as per the RLS security.
Proud to be a Datanaut!
Private message me for consulting or training needs.
Hello @collinq we are not managing any RLS in the data model itself. We want to utilize existing BW security schemas via credentials. This works as expected when connecting to the query via the PBI desktop. Once the user utilizes the Power BI data set it doesn't promt for their credentials.
Thanks
Jon
Ok @jpt1228 , it sounds like you do NOT want them to have the datasets - when you shared the report with them did you UNcheck the "Allow receipients to build new content using the underlying datasets". Perhaps you need to undo that and then they won't be able to get to that part.
I would appreciate Kudos if my response was helpful. I would also appreciate it if you would Mark this As a Solution if it solved the problem. Thanks!
Proud to be a Datanaut!
Private message me for consulting or training needs.
Hi @collinq I want them to have access to the data sets - I just do not want them to have access to ALL the data. Filtered to sales region. If they connect deesktop to the data they have to put their credentials in and security works as expected.
We are sharing a data model with them and it is using the gateway user authorizations.
HI @jpt1228 ,
I just found this as well:
The current limitations for row-level security on cloud models are as follows:
If you previously defined roles and rules in the Power BI service, you must re-create them in Power BI Desktop.
You can define RLS only on the datasets created with Power BI Desktop. If you want to enable RLS for datasets created with Excel, you must convert your files into Power BI Desktop (PBIX) files first. Learn more.
Only Import and DirectQuery connections are supported. Live connections to Analysis Services are handled in the on-premises model.
Do any of these apply?
Proud to be a Datanaut!
Private message me for consulting or training needs.
Hi again @jpt1228 ,
RLS on dataasets does not work on "live connection" datasets. Are you using Live Connection?
Proud to be a Datanaut!
Private message me for consulting or training needs.
@collinq We are using a direct query connention. It works when connecting directly to the BW via desktop with BW credentials. I have been looking at kerberos SSO thinking that might pass their credentials through the data model to the BW. We do not want to manage security in a secondary location/application.
Hmmmmmmm......
If it works as expected for individuals on the desktop (where we know they are using their userid) and NOT in the Service then my thought is that the browser is not requiring/recognizing their logins and/or it is just using a default higher permission login. Do you think that might be possible? THinking out loud....
Proud to be a Datanaut!
Private message me for consulting or training needs.
I suspect when I create the data model, publish to the service and connect the enterprise gateway it is using my credentials stores for all subsequent users to connect to that data model. I am missing a method to authorize users by BW security. Kerberos says it will pass the user credentials through to the underlying data sets. I do not have that configured. We want to share federated approved data sets and not allow users to create their own metrics and dimensions to maintain one version of the truth.
Hi @jpt1228 ,
I think that must be it - that the users are able to hijack the other permissions. That is my theory anyway and why I was asking about service credentials. Setting it up in Kerberos might be the way to go - and Kerberos security is always so easy to set up!
😀
Proud to be a Datanaut!
Private message me for consulting or training needs.
The gateway is a service level account. But using my credentials to publish the DM for other users to build off of.
Covering the world! 9:00-10:30 AM Sydney, 4:00-5:30 PM CET (Paris/Berlin), 7:00-8:30 PM Mexico City
Check out the April 2024 Power BI update to learn about new features.