未加星标

How to get Power BI RLS to work with external users

字体大小 | |
[数据库(mssql) 所属分类 数据库(mssql) | 发布者 店小二04 | 时间 2016 | 作者 红领巾 ] 0人收藏点击收藏

Let me start by thanking Adam Saxton aka Guy in a Cube and Hope Foley for helping me with this post.

Power BI has made sharing dashboards and reports inside and outside of an organization relatively simple. All you really need is an email address. Now, whether or not the person will be able to successfully view the shared dashboard depends on the data source. To complicate things further, what if you want to secure what data that person can or cannot see using Row-level Security (RLS).

Let’s assume that someone has built a dashboard that is directly connected to SQL Server Analysis Services (SSAS). That person shares the dashboard with someone outside of their organization. When the person outside the organization attempts to open the report he/she should only see data for a particular School District, Sales Region, Department, etc… To illustrate this, let me paint a picture using the following image:


How to get Power BI RLS to work with external users
[email protected] creates a reports. [email protected] publishes the reports to PowerBI.com. The report has a live connection to a SQL Server Analysis Services (SSAS) Semantic Model. [email protected] shares a dashboard with [email protected] . [email protected] attempts to open the dashboard and nothing.

Before I explain how to fix this, let’s take a look at what’s happening behind the scenes.

When [email protected] opens the dashboard a connection string is created including the effectiveusername property, which is expected behavior. The value specified for this property is [email protected] . The connections string including the queries are sent via the On-Premises gateway to the SSAS server that hosts the data needed to view the report. Once the connection is established, using the username and password specified in the Data Source settings, all queries are executed using [email protected] .

This is where the problem occurs. Because this person is external to contoso.com, it is highly unlikely that he/she will have any permissions to access the SSAS Server. As a result, the queries are not executed.

How do you solve this problem? With a feature called Map user names. Start by signing into PowerBI.com and navigate to Manage Gateways.


How to get Power BI RLS to work with external users

On the Gateways page, expand your gateway and click on the data source for the shared dashboard. In the properties window for the selected data source click Users.


How to get Power BI RLS to work with external users

Towards the bottom of the page click on the button labeled Map user names.


How to get Power BI RLS to work with external users

Click that button and the Map user names window will open on the right side of the screen.


How to get Power BI RLS to work with external users

Ensure that the Effective user names radio button is selected. Enter the shared/external users email address in the column labeled Replace and enter and account that has appropriate permissions to your Semantic model in the column labeled With. Click the button labeled ADD. By doing this, [email protected] will be replaced with the user you specified, allowing the reports to work. Not only does the report open successfully for [email protected] , but it will only display data for the internal user based on the RLS configuration in your Semantic model.


How to get Power BI RLS to work with external users

Please note that the user you specified in the With column must be included in a role on the Semantic model that has been configured for RLS if that is a requirement.

This approach has assisted me in solving a very common issue faced by my customers. For example, I work with County and Department of Education groups that would like to share SSAS sourced Power BI dashboards and reports with Districts and Schools. The challenge is as stated above. When someone from the school or district attempts to access the content and error is returned. Using the approach in this blog easily solves the problem. The external users are mapped to internal users that are part of a role that has been secured to see only specific data. When a person opens a report, data for a specific district is the only data that is available. Problem solved!

Talk to you soon,

Patrick LeBlanc

Data Platform Solution Architect, Microsoft

本文数据库(mssql)相关术语:熊片数据库 mssql数据库 oracle数据库 pubmed数据库 access数据库 万方数据库

主题: SQLSASSQL Server
分页:12
转载请注明
本文标题:How to get Power BI RLS to work with external users
本站链接:http://www.codesec.net/view/480652.html
分享请点击:


1.凡CodeSecTeam转载的文章,均出自其它媒体或其他官网介绍,目的在于传递更多的信息,并不代表本站赞同其观点和其真实性负责;
2.转载的文章仅代表原创作者观点,与本站无关。其原创性以及文中陈述文字和内容未经本站证实,本站对该文以及其中全部或者部分内容、文字的真实性、完整性、及时性,不作出任何保证或承若;
3.如本站转载稿涉及版权等问题,请作者及时联系本站,我们会及时处理。
登录后可拥有收藏文章、关注作者等权限...
技术大类 技术大类 | 数据库(mssql) | 评论(0) | 阅读(31)