To piggyback on this issue, we could pass the username back via a StoredProcedure input parameter and pre-filter the data before it hits PowerBI. In the April Desktop Release we Define Query Parameters:

In Edit Query

Click Manage Parameters button

New Parameter

Save

Then right click parameter in left margin list of queries

Choose “Enable Load”  

Create another Query (SQL style) and copy and paste your Execute sp command with sql sp params hard coded to some sample values

After creating, previewing and saving (load)

Now go back to the formula bar of your query and interrupt the DAX with a concatenate phrase

Example my PowerBI parameter name is pOrgUnit   (btw PowerBI /DAX is case sensitive)

My original SQL Execute command

DECLARE       @return_value int

EXEC   @return_value = [dbo].[sp_AccountComparisons_InSummary]

              @CompanyDB = N'TWO',

              @userid = N'User1',

              @OrgUnit = N'100'

 SELECT 'Return Value' = @return_value

I replaced       @OrgUnit = N'100'

With          @OrgUnit = N'”&pOrgUnit&”'

Resulting DAX Formula

= Sql.Database("dynbuddev", "DynamicBudgets", [Query="DECLARE#(tab)@return_value int#(lf)#(lf)EXEC#(tab)@return_value = [dbo].[sp_AccountComparisons_InSummary]#(lf)#(tab)#(tab)@CompanyDB = N'TWO',#(lf)#(tab)#(tab)@userid = N'dynbudsm',#(lf)#(tab)#(tab)@OrgUnit = N'"&pOrgUnit&"'#(lf)#(lf)SELECT#(tab)'Return Value' = @return_value#(lf)"])

Now the clunky part is that you need to go to EditQueries, choose edit parameters, and then change from one param value to another

In my example changing from 500 to 100…

Changing the parameter can be invoked from either Edit Query button in either the Edit Query window or a Report

 I would expect a user to want to change focus by clicking a visual element, not a ribbon option, so I’m next going to try to just pass the username() as my @UserID sp  parameter.

If I can just pre-filter the list to what the user has security access rights to then I don’t care what they click on within the report because it has already been prefiltered to only their respective data they have security clearance to see.

We already have have complex financial account level security defined in our onpremise data source, I don't want to replicate that in Role Level Security in PowerBI...thus why the sp param approach for pre-filtering 

So to try to use this in the real world, I might still need to setup role level security to just be able to reference a Username()  instead of a GUID…

The key I suppose is that I Need the dataset  to load on-demand and not have any cached data (direct query or Odata)?

Does ODATA work with SPs?

@zgidwani finally do you found the way to pass username() by parameter?

---

@zgidwani wrote:

 

@I would expect a user to want to change focus by clicking a visual element, not a ribbon option, so I’m next going to try to just pass the username() as my @UserID sp  parameter.

If I can just pre-filter the list to what the user has security access rights to then I don’t care what they click on within the report because it has already been prefiltered to only their respective data they have security clearance to see.

---

Hi Brian,

Thanks, this was really helpful! Unfortunately, the whole reason I am using the USERNAME() function to implement RLS, is because I would like to be able to apply RLS on accounts outside of my organisation, and using a calculated table I can do this.

The issue comes in when you create a role, all extra-organisational email addresses cannot access the data, see: https://dl.dropboxusercontent.com/u/25095474/ShareX/2016/05/chrome_2016-05-26_09-57-13.png

Any ideas as to how to prevent the restricted data access when a role is enabled? Or perhaps a method of generating the hex string of Xs to compare to the USERNAME() function? (`XXXXXXXXXXXXXXXX yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy`)

Hi Jexah,

The link to the image in your dropbox account doesn't seem to work.

I think I understand what you are saying, I'm trying to test that restriction this end. Are you saying that the external user's view of the USERNAME() function reverts back to a GUID if they try to access the report, or are they blocked from seeing the report entirely? 

Johnny, could you post an example of how to use the username() in the RLS?

USERNAME() in the PBI Service returns the user name of the Microsoft service account for that instance of the server. (This is an educated guess, haven't had a concern to actually verify).

If the goal is to apply row-level security in Power BI, the only actually secure method is to use DirectQuery against a SSAS cube or a SQL data source that has row-level security. The Power BI Power Pivot model **CANNOT** support row-level security.

When performing a direct query, the Power BI Service will pass along the currently logged in user's credentials for authentication against the data source, returning only data that that user's role is allowed to see based on the security criteria.