I am using Power BI Role Level Security (RLS). In RLS, we have roles like Administrator. I have direct query in Power M Query like,
let
SomeVar = Record.Field(Table.First(GetSomeVar(Age)), "Column"),
Role = HowCanIGetUserRoleHere,
Source = Sql.Database("mydb.servr", "db", [Query="SELECT ..... UserRoleHere", CreateNavigationProperties=false])
in
Source
How can I get the user role (who is viewing the dashboard) in above query?
Related
I have a RLS requirement, where I need:
The user accessing the report to see only her/his own data.
Teamleads can read their own data + their teams.
In the USER role, I have the RLS:
Users table
=[NT Username] = USERNAME()
In the Team Leads role, I have the RLS:
Users table
= [TeamLeadUserId] IN SELECTCOLUMNS(FILTER('Users' , 'Users'[NT UserName] = USERNAME() )
,"Id"
,[User Number])
In my model I have 2 facts, a classic one, and an AggregatedFact.
In my model I have the classic: “1 to MANY” User dimension to Fact.
Then I have a “Many To Many” User dimension to AgProfitCenter dimension
Why is the ‘row level security’ grayed out? Will the RLS filter the AgProfitCenter table?
Lastly, I don’t understand why if in the details it is clearly marked as * : * in the MANAGE page it appears as *:1
Note: dimension AgProfitCenter connects to AggregatedFact; which holds aggregated data.
I have the below model:
And I am unsure if my RLS propagates correctly…
The model has 2 regular facts FactRevenue and FactSales (I cut them from the screenshot, just for clarity) and it also has Aggregated Revenue (shown in the screenshot).
I have two roles, on Employee Current where I have the next RLS:
ROLE1:
=[NT Username] = USERNAME()
ROLE2:
=[TeamLeadID] IN SELECTCOLUMNS(FILTER('Employee Current','Employee Current'[NT UserName] = USERNAME()),"ID",[ID])
Engagement Role is an UNPIVOT of Employee (each Employee can have up to 5 different roles…) (Therefore it is 1:*)
My questions are:
will my RLS filter in Employee Current flow to Engagement Role and then flow to WBS, and then flow to FactSales ?
will my RLS filter in Employee Current flow to AgProfitCenter and then flow to Aggregated Revenue?
In Powerbi Desktop go to Modeling "View as". Check and verify if everything works as expected.
Or use DaxStudio. Expand Advanced Options and type "Effective User Name"
I'm curious to know whether or not it is possible to create a table in Datamart using SQL Server Management Studio. Just a note, Power BI Datamart uses Azure SQL db. I have tried to do it using the following query:
SELECT Role = r.name, Member = m.name
FROM sys.database_role_members as rm
INNER JOIN sys.database_principals as r
ON r.principal_id = rm.role_principal_id
INNER JOIN sys.database_principals as m
ON m.principal_id = rm.member_principal_id
and I get the following error:
Msg 262, Level 14, State 1, Line 1
CREATE TABLE permission denied in database 'db_powerbiprodgbr_20221028_10054574_fb38'.
SELECT Role = r.name, Member = m.name FROM sys.database_role_members as rm INNER JOIN sys.database_principals as r ON r.principal_id = rm.role_principal_id INNER JOIN sys.database_principals as m ON m.principal_id = rm.member_principal_id
I then wanted to change my role from admin to admin_user using the following query:
ALTER AUTHORIZATION ON DATABASE::db_powerbiprodgbr_20221028_10054574_fb38 TO admin_user
When I attempted to change my privilege I got the following error:
Msg 15247, Level 16, State 1, Line 1
User does not have permission to perform this action.
Could you please run the following statement on the Azure SQL database while logged in as the SQL Admin login of the logical server?
exec sp_addRoleMember 'dbmanager', 'powerbilogin'
After that powerbilogin will be able to create tables.
I created two Groups (Confirmed using SELECT groname FROM pg_group)
Test_Group_A
Test_Group_AB
Created two External Schemas (Confirmed using SELECT schemaname FROM svv_external_schemas)
External_Schema_A
External_Schema_B
Granted permissions to these groups on external schemas, as follows:
GRANT USAGE ON SCHEMA External_Schema_A TO GROUP Test_Group_A;
GRANT USAGE ON SCHEMA External_Schema_A TO GROUP Test_Group_AB;
GRANT USAGE ON SCHEMA External_Schema_B TO GROUP Test_Group_AB;
Using metadata, how do I get the list of
Schemas that Test_Group_X and Test_Group_XY can access
OR
Groups that have access to External_Schema_X and External_Schema_Y
Thanks!
The easiest way I would think would be to operate as a member of these groups and test the permissions. The easiest way to "become" another user (while connected as a superuser) is "set session authorization 'user_name';". This will give you the rights and authorization of this user. When done you can "reset session authorization;".
SELECT
*
FROM
(
SELECT
pg_get_userbyid(b.nspowner)::text AS objowner,
b.nspname::text AS objname,
TRIM(SPLIT_PART(array_to_string(b.nspacl, ','), ',', NS.n))::text AS access_control_list_string
FROM
(
SELECT
oid,
generate_series(1, array_upper(nspacl, 1)) AS n
FROM
pg_catalog.pg_namespace
)
ns
INNER JOIN
pg_catalog.pg_namespace B
ON b.oid = ns.oid
AND ns.n <= array_upper(b.nspacl, 1)
)
WHERE
objname = '<external_schema_name>'
I am trying to implement row-level security on one table based on a separate users table. I've seen this talked about in places like this, but haven't been able to get things working for my case.
Users table:
Transactions table:
The table I'd like to secure is called Transactions. One of the fields in each row is CompanyID. The Users table contains three columns: AccountID, UserEmail, and CompanyID. What I'd like is for only users assigned to given CompanyIDs to be able to view rows in the Transactions table with those CompanyIDs.
Since more than one User may view a given row, I established a one-to-many relationship from Transactions to Users on the CompanyID field.
I created a DAX expression that filters on the Users table with the following:
[UserEmail] = USERPRINCIPALNAME()
When I select "View As -> Other User" in Power BI Desktop and enter a random email, though, I can still see the entire report. Any idea what I'm leaving out?
EDIT:
I left out an important stipulation: Any user associated with a CompanyID of 1 can view all the records of the Transaction table. I've tried approaches similar to this
[UserEmail] = USERPRINCIPALNAME() ||
COUNTROWS(FILTER('Users', [UserEmail] = USERPRINCIPALNAME() && [CompanyId] = 1)) = 1
but they don't work. Even users with CompanyId of 1 are prohibited from viewing the table.
From the docs:
By default, row-level security filtering uses single-directional
filters, whether the relationships are set to single direction or
bi-directional. You can manually enable bi-directional cross-filtering
with row-level security by selecting the relationship and checking the
Apply security filter in both directions checkbox. Select this option
when you've also implemented dynamic row-level security at the server
level, where row-level security is based on username or login ID.
https://learn.microsoft.com/en-us/power-bi/admin/service-admin-rls