When permission is given to user via publish app, it doesn't apply read permissio to the dataset if the dataset resides in another workspace.
Example: Say dataset is in WorkspaceA. Report connecting to this dataset is in WorkspaceB. I create an app in workspaceB- in app permission tab I add user who can access the app.
This doesn't automatically give read permission to the dataset since it resides in a different workspace. I have to manually give read access to users via the 'manage permissions' on the dataset.
Also, the checkmarks like the Allow all users to connect to apps underlying dataset using build permission, allow users to make copy of reports, allow users to share app and apps underlying dataset using share permissions seem to have no effect. What is the reason for this?
Related
I want to generate a list of all the users that I've shared a specific dashboard with, ideally in a text/csv file.
If you have the AWS CLI (version 2) installed then this is as easy as calling the describe-dashboard-permissions API endpoint. You will have to get the dashboard id first by calling list-dashboards.
Otherwise you are stuck with the table provided in the UI under the Share menu button which also lists all permitted users but has no option to export to text (or anything else).
I am trying to setup elasticsearch/kibana in AWS and we've successfully created enough so we can access it using the 'elasticmaster' role. We can login and input data with this user.
However, we have users who will be creating reports, visualisations etc but we definitely do not want them creating data.
The permission set in kibana seems very odd and unintuitive. Can someone please let me know what permissions this "reporting" user would need. They'll want access to pretty much all the indexes, just read only but they will need permissions to create index patters, visualisations etc.
We're using ES 7.10.
I am new to PowerBI and I have a project where I store my data on MySQL( or I will use MSSQL) server. Each user has a defined ID. Is it possible to create a user login or something like that that would show reports for different users?
Login screen with powerBI shortcode will be on my website and I would like to show powerBi report by logged user. Report screen will be the same every time, but with different numbers for different user.
I am sorry for this question, but I am new to powerBI. Is it even possible to create something like this?
Thanks for any help.
You can take a look at Row-level security.
Row-level security (RLS) allows you to restrict logged in user's access to report's data, i.e. you can show different part of your data based on logged in user.
You can setup RLS in Power BI Desktop. You can create different roles that can be assigned by generating the embed token while embedding.
Refer docs: https://learn.microsoft.com/en-us/power-bi/admin/service-admin-rls
While embedding, generate embed token based on the user who has logged in and assign the roles to it. Refer docs: https://learn.microsoft.com/en-us/power-bi/developer/embedded/embedded-row-level-security
Is anyone aware of any Google API with the user scope (NOT the Admin API in the Directory SDK) that allows you to retrieve the custom employee attributes?
The G+ API seems to skip these
https://developers.google.com/+/web/api/rest/latest/people#resource
Our issue is that we don't want to grant access to the developer console, but rather do this PER-USER. I.E. a user logs into our app and we display to her the custom attributes for her G Suite account, but we do this as her (not as an approved API scope via the dev console).
Leaving this answer for anyone like me who finds this question.
The Directory API allows a user to query the custom attributes for their account even without any admin permissions at all.
https://developers.google.com/admin-sdk/directory/v1/reference/users/get
You need to ensure that projection is set to full and viewType is set to domain_public.
You may need to check the permissions for reading the custom attributes to ensure that a user is allowed to see theirs. We do this in the Google Cloud Directory Sync.
I'm building a lightweight web interface to SSRS where web app users are mapped to web app roles, which in turn are mapped to SSRS users.
The reason for this convoluted scheme is not up for debate: In short, AD groups can't be used, the site uses Forms auth and there are a fixed number of roles.
Web Role | SSRS User
Admin | AdminUser
Supervisor | SuperUser
User | BasicUser
Guest | GuestUser
The goal is to enumerate all reports a user has permission to view, and allow the user to view the report with the ReportViewer control.
More importantly, it's to simplify the UX for users, both admins and the rest: preventing admins from having to use the Report Manager website (ie, selecting checkboxes rather than hand-typing which web-role-users have access to which reports), and providing a simple UI from which users can see and execute all their reports.
Everything works OK when the user is the AdminUser.
However, I'm having difficulty calling the web service when the user isn't included in a Policy on the Home/Root folder with at least the Browser SSRS role. (The permissions granted to user 'computer\username' are insufficient for performing this operation.)
This is problematic for a couple reasons:
If every user must be a Browser to connect to the web service and enumerate reports they have access to view/execute, then all users will have access to all new reports/folders by default. (Children automatically inherit new permissions)
If a report exists in a nested folder that does not inherit permissions and the user is not a browser of, but the user is a Browser on the nested report, ListChildren() will not return that report.
It seems this leaves me with 2 less than ideal options:
Don't call the web service with the different users. Instead, enumerate reports with ListChildren() using only the admin user. Then, for each report, call GetPolicies(), and from that collection of policies, determine what reports the user is able to view.
Make the call with different users. Live with the pitfalls of newly-published reports being accessible to everyone by default, until permissions are changed. Also live with the pitfalls of nested reports not showing unless the user has access to that path. If an admin wants a nested report within a folder with explicit permissions to be available to a user who can't see that folder, the policies on all ancestor folders and their children must be modified.
#1 is obviously very unwieldy and inefficient. But #2 has significant drawbacks and becomes just as onerous & inefficient when setting permissions in certain situations.
Is there a better way? Have I missed something obvious?
[edit]
A 3rd option is to query the ReportServer database directly using a query like this. This has the benefit of returning everything the user has access to, regardless of whether or not it exists in a subfolder the user cannot access (aka, cannot use the web service's ListChildren method to retrieve). However, if using AD groups, I would have to know which groups the user is a member of, whereas the web service would do this for me. This option feels like a bit of a hack to me, but it could work.
As it turns out, we ran an end-route around this issue by dropping the requirement to restrict report access by web role, and made the path we query in the web service a web.config setting that can change, thus allowing report authors to 'hide' reports in a parent folder if the need arises in the future.
The best solution would have been to query the ReportServer database directly.
However, the client changed their mind & didn't want to restrict reports based on web user role in the end, so problem solved!