We have a multi tenant SaaS solution where we want to embed a Power BI report into every customers dashboard.
The data resides in a single Azure SQL database and my question is this:
What is the recommended approach in this scenario?
Is it to make one report and use RLS to give each client their own view or is it to make one report for each client.
I think the decision impacts these areas of maintainability, performance and security but I am not sure if that is correct so any input on best practises would be greatly appreciated.
I recommend you to use b2b external sharing with RLS.
For details information, please refer to following links:
Thanks for the reply but I think maybe I did not explain the scenrio well enough.
We are an ISV doing a SaaS product so the users that will need to access our embeddded report are our customers.
We already have a solution in place with the old power bi embedded and need to migrate it to the new version.
And the I was just thinking what the pros an cons were regarding keeping the RLS based access or separating the report into one per customer and going without RLS.
I hope this makes it clearer.
I think use RLS should more simply than publish separate report to different tenants.(you need to manage multiple report and their gateways, credentials)
You can also submit your requirement to help power bi improve RLS features.
we've been working on this at the moment. We have a multi-tenant application (in separate elastic databases) and want to provide our clients with some already made reports (let's say templates).
What we have done (simplified):
- All our templates (pbix files) have a parameter (ex. TenantId) (when designed in PowerBI Desktop).
- We have one app workspace for each tenant.
- We provisioned all app workspaces with capacity (EM sku).
- We implemented a mechanism which copies (using import-export) the report in tenant's app workspace.
- We used the SetParameters endpoint from PowerBI REST API to specify the TenantId when we copy the report.
- We have a mechanism (using messages) in place which updates the reports, when needed.
- At the moment we don't use RLS all the way down.
- We'll probably use B2B invites in the future for sharing reports to external and other features.
- If you're going to use RLS all the way, take some time to see the licencing part (especially if you're going to use AAD).
A-skus (Azure provisioned capacity) can't be used with AAD.
- We preferred to have one app workspace for each tenant for security reasons. FYI, while developing we also hit a 200 reports/dataset limitation per app workspace (this will be fixed in the next few months as internal teams replied to us).
- The messaging mechanism for copying and updating the templates works well. We also created a separate user interface for internal teams to publish templates.
- For performance issues, take under consideration that every action consumes resources from the provisioned capacity (not only the rendering of the reports consumes capacity, but also the dataset refreshes etc.)
Hope this helps.