I am fairly new to PBI, and I want to create a powerBI dashboard and share it externally, meaning to different people (users) without a powerBI license. However, the data for each user is restricted based on their rights.
How can I best set this up? I'm thinking to either use a login system, or using different URLs per user. Right now some possible solutions I found are 1) Embedded PowerBi content using Azure, 2) using Row-level security (RLS) or 3) create different URLs based on a column value, and (somehow) have it restricted per user.
My apologies for this entry-level question, any tips are very welcome.
Related
I'm trying to find the best approach to delivering a BI solution to 400+ customers which each have their own database.
I've got PowerBI Embedded working using service principal licensing and I have the PowerBI service connected to my data through the On Premise Data Gateway.
I've build my first report pointing to 1 of the customer databases. Which works lovely.
What I want to do next, when embedding the report, is to tell PowerBI, for this session, to get the database from a different database.
I'm struggling to find somewhere where this is explained, or to understand if this is even possible.
I'm trying to avoid creating 400+ WorkSpaces or 400+ Data Sets.
If someone could point me in the right direction, it would be appreciated.
You can configure the report to use parameters and these parameters can be used to configure the source for your dataset:
https://www.phdata.io/blog/how-to-parameterize-data-sources-power-bi/
These parameters can be set by the app hosting the embedded report:
https://learn.microsoft.com/en-us/rest/api/power-bi/datasets/update-parameters-in-group
Because the app is setting the parameter, each user will only see their own data. Since this will be a live connection, you would need to think about how the underlying server can support the workload.
An alternative solution would be to consolidate the customer databases into a single database (just the relevant tables) and use row level security to restrict access for each customer. The advantage to this design is that you take the burden off of the underlying SQL instance and push it into a PBI dataset that is made to handle huge datasets with sub-second response times.
More on that here: https://learn.microsoft.com/en-us/power-bi/enterprise/service-admin-rls
I am using druid to store data for creating dashboard over superset. Now, I want to use the same cluster to store data for other project which is not completely different. But we want to segregate datasources of both the projects.
Is there a way to create database/keyspace sort of thing to segregate datasources of two different project in druid?
Multiple way to work with this use case.
Easiest one create multiple datasources into superset. Based on the same connection to druid.
Then create roles to provide access to this datasources. Then end user will have 1 or multiple roles. Each role providing data from druid but from different perspective. Every user will be able to create his own dash based on this dataset if allowed by role.
Other way is to user row security level. Each row has a specific tag. Each user is configured to have access to 1 or many tags. This approch allow you to have the same dash for all users
More ressources here => https://superset.apache.org/docs/security
I have a report from power bi, which has a direct connection to the server to obtain the data (analisys services). To access the data from my account I use the on premises data gateway, which works correctly and I can view the data in the web app. The problem appears when the report to another user (both having the pro account). From the account of the other user you can see that a report was shared, but when you open it the following error appears: "Error executing the query because the cube or some internal structures have not been processed (or do not exist)" .Also grant owner permissions to the cube to the user in question. Any clue where it might be failing?
I think you should Map usernames for this connection.
Go to settings -> Manage gateways
Under your gateway cluster you should have your data source (if not you can add a new one and it's quite straight forward to set up, just choose analysis services, write in database name of server and credentials) and then you should go to Users tab.
There you can see Map usernames where you need to Replace the account to which you want to share with an account that has permissions in SSMS.
For example you want to share to example#elpmaxe.com and you have granted permissions in SSMS to user named example.elpmaxe, so in map usernames you would replace example#elpmaxe.com with example.elpmaxe
The answer was easy but finding it was difficult. The issue was that even though you had assigned the role in the cube to the user who wanted to share the report, you had not given them read permission (assuming the role had already been assigned). It is a basic problem but if you are a beginner in analysis services it can get complicated.
I am wanting to know how secure Row-Level Security is.
We are currently working on creating a dashboard that would be shared with 500 users within our organisation. All of these users are managers and we would be using dynamic row-level security so that each user would only be able to view information in the dashboard related to their own team.
I have tested RLS and it worked fine, but I have had another Power Bi user tell me that RLS is not completely secure as my base data is coming from excel. My base data is in excel, but I convert it into a pbix file in Power Bi desktop before creating the role, then publishing to power bi service, where I assign users to the role and give read only access.
I am wondering once I have shared the dashboard with these users is there any way for them to get around the RLS and access the base data?
Thanks in advance,
Amy
There are a number of factors to consider for imported data.
If the user can download the report, they could remove the role and access all the data. I would recommend turning this off in the Power BI Admin protal for selected users, or an AD group.
They could connect to the dataset via Excel or another report and get the data that way without the role level filter being used. Having them as read only is one way of stopping them altering the report. I would suggest deploying the report as an app, then they can only access the surfaced report not the underlying dataset.
If I understand correctly, unlike with the Personal Gateway, the Enterprise Gateway allows all the users within the same domain to refresh the data. So my question is: is it possible to disable Manual Refresh? I want to share my dashboard with people in my organization, but I want to avoid having people constantly refreshing the dashboard and consuming my database server resources.
Create a Report/dashboard in Power Bi, and select Import data not Direct query, don't share dataset with the users, only share report/dashboard with users, this way they will be able to see data but will not be able to refresh it. And you can schedule a time for your source data to get refreshed.