After connecting SAP HANA to Power BI, every time I want to display the data in a chart or a tab I get this error message :
error old DB or odbc [SAP AG][LIBODBCHDB32 DLL][HDBODBC32] general error : 258 insufficient privileges
Note that the system user has all the privileges
Can you clarify your use case? If you are SYSTEM, I assume you are using something like HANA Express Edition. Are you using Power BI to select against a Calculation View? If so, you'll need at the very least SELECT on the _SYS_BIC schema (which is also a grossly large GRANT to do, however who cares if this is a sandbox.)
You may also need to grant SYSTEM some Analytic Privileges if it is a calculation view and you did not blank out that option.
Again, this is somewhat speculative unless you can be more specific what type of catalog object you are selecting against in HANA.
The HANA SYSTEM user is the root database administration user. It does not and should not have access to the application data at all.
To use reporting tools with your application data you need to create a DB user and assign this user the read privileges for the DB objects you want to access.
Using SYSTEM for this (or really for anything else than bootstrapping the system) is not recommend and leaves a gaping security hole.
Besides the mentioned security issue with SYSTEM user for just reporting I agree that you should check and assign the analytic privileges on reporting objects to reporting user. Because they must be granted explicitly: there's no "view all" SQL analytic privilege in HANA, so no superuser that can view everything via any Calculation view.
To figure out the problem object you should set trace level to debug for your reporting user and indexserver.authorization component.
Related
I'm trying to find the best approach to delivering a BI solution to 400+ customers which each have their own database.
I've got PowerBI Embedded working using service principal licensing and I have the PowerBI service connected to my data through the On Premise Data Gateway.
I've build my first report pointing to 1 of the customer databases. Which works lovely.
What I want to do next, when embedding the report, is to tell PowerBI, for this session, to get the database from a different database.
I'm struggling to find somewhere where this is explained, or to understand if this is even possible.
I'm trying to avoid creating 400+ WorkSpaces or 400+ Data Sets.
If someone could point me in the right direction, it would be appreciated.
You can configure the report to use parameters and these parameters can be used to configure the source for your dataset:
https://www.phdata.io/blog/how-to-parameterize-data-sources-power-bi/
These parameters can be set by the app hosting the embedded report:
https://learn.microsoft.com/en-us/rest/api/power-bi/datasets/update-parameters-in-group
Because the app is setting the parameter, each user will only see their own data. Since this will be a live connection, you would need to think about how the underlying server can support the workload.
An alternative solution would be to consolidate the customer databases into a single database (just the relevant tables) and use row level security to restrict access for each customer. The advantage to this design is that you take the burden off of the underlying SQL instance and push it into a PBI dataset that is made to handle huge datasets with sub-second response times.
More on that here: https://learn.microsoft.com/en-us/power-bi/enterprise/service-admin-rls
I am fairly new to PBI, and I want to create a powerBI dashboard and share it externally, meaning to different people (users) without a powerBI license. However, the data for each user is restricted based on their rights.
How can I best set this up? I'm thinking to either use a login system, or using different URLs per user. Right now some possible solutions I found are 1) Embedded PowerBi content using Azure, 2) using Row-level security (RLS) or 3) create different URLs based on a column value, and (somehow) have it restricted per user.
My apologies for this entry-level question, any tips are very welcome.
I have a report from power bi, which has a direct connection to the server to obtain the data (analisys services). To access the data from my account I use the on premises data gateway, which works correctly and I can view the data in the web app. The problem appears when the report to another user (both having the pro account). From the account of the other user you can see that a report was shared, but when you open it the following error appears: "Error executing the query because the cube or some internal structures have not been processed (or do not exist)" .Also grant owner permissions to the cube to the user in question. Any clue where it might be failing?
I think you should Map usernames for this connection.
Go to settings -> Manage gateways
Under your gateway cluster you should have your data source (if not you can add a new one and it's quite straight forward to set up, just choose analysis services, write in database name of server and credentials) and then you should go to Users tab.
There you can see Map usernames where you need to Replace the account to which you want to share with an account that has permissions in SSMS.
For example you want to share to example#elpmaxe.com and you have granted permissions in SSMS to user named example.elpmaxe, so in map usernames you would replace example#elpmaxe.com with example.elpmaxe
The answer was easy but finding it was difficult. The issue was that even though you had assigned the role in the cube to the user who wanted to share the report, you had not given them read permission (assuming the role had already been assigned). It is a basic problem but if you are a beginner in analysis services it can get complicated.
I have developed a Power BI report using Power BI Desktop, pointing to a private on premise development database as the datasource so that I was able to develop and test it easily. Then, I published it from my Power BI Desktop pbix to the work area of my customer.
As a result, the work area contains the published report and the dataset. Later, my customer has changed the dataset so that it now points to the correct on premise production database of their own. It works perfectly.
Now, I want to publish a new report for my customer using the previously published and reconfigured dataset. The problem is that I can't see any option in Power BI Desktop to have the report point to the published dataset, nor I can't see any option to avoid creating a new dataset each time I publish a report, nor any way to reconfigure from the web portal the new published report to point to the same dataset as the first one.
Is there any way to do this or any work around for this scenario? I think the most reasonable solution would be to be able to change the dataset of any report, so that the datasets of any report could be interchangeable.
Update:
I had already used connection specific parameters, but I'm not given rights to change the published dataset, so thats a dead end.
Another thing I have come up to is that in Power BI Desktop you cannot change the connection parameters values to those of production enviroment and publish the report if you can't access the target database from your computer, because PowerBI Desktop ask you to apply changes first, and when it tries to apply the values it tries to connect to the corresponding database and, obviously, ends with a network related error or timeout error trying to connect to the database server, therefore cancelling changes and returning to the starting point.
It's always a good practice to use connection specific parameters to define the data source. This means that you do not enter server name directly, but specify it indirectly using a parameter. The same for the database name, if applicable.
If you are about to make a new report, cancel Get data dialog, define parameters as described bellow, and then in Get data specify the datasource using these parameters:
To modify an existing report, open Power Query Editor by clicking Edit Queries and in Manage Parameters define two new text parameters, lets name them ServerName and DatabaseName:
Set their current values to point to one of your data sources, e.g. SQLSERVER2016 and AdventureWorks2016. Then right click your query in the report and open Advanced Editor. Find the server name and database name in the M code:
and replace them with the parameters defined above, so the M code will look like this:
Now you can close and apply changes and your report should work as before. But now when you want to change the data source, do it using Edit Parameters:
and change the server and/or database name to point to the other data source, that you want to use for your report:
After changing parameter values, Power BI Desktop will ask you to apply the changes and reload the data from the new data source. To change the parameter values (i.e. the data source) of a report published in Power BI Service, go to dataset's settings and enter new server and/or database name:
If the server is on-premise, check the Gateway connection too, to make sure that it is configured properly to use the right gateway. You may also want to check the available gateways in Manage gateways:
After changing the data source, refresh your dataset to get the data from the new data source. With Power BI Pro account you can do this 8 times per 24 hours, while if the dataset is in a dedicated capacity, this limit is raised to 48 times per 24 hours.
This is a easy way to make your reports "switchable", e.g. for switching one report from DEV or QA to PROD environment, or as part of your disaster recovery plan, to automate switching all reports in some workgroup to another DR server. In your case, this will allow you (or your customers) to easily switch the datasource of the report.
I think the only correct answer is that it cannot be done, at least at this moment.
The most closest way of achieving this is with Live connections:
https://learn.microsoft.com/en-us/power-bi/desktop-report-lifecycle-datasets
But if you have already designed your report without using the Live connection but your own development enviroment and corresponding connection parameters then you are lost, your only chance is redo all your report with the Live Connection, or the queerest one solution, to use an alias in your configuration matching the name of the database server and the same database name that in the target production environment.
I'm kind of new to PBI and I'm looking if it's the right tool for my case.
I would like to use Power BI Embedded in a web application for our customer (where they're logged in) which do not have any Power BI account/licence.
The database on which the reports are based are on-premise so we're would use Analysis Service Live Connection to access them.
Each customer should have his own report.
Is it possible to use RLS in that case?
Does that mean we've to create a role for each of them?
What username should be given in the EffectiveIdentity? Is it 'free text' that is used by PBI to get the username in the DAX?
If each customer will have his own report, then why do you need RLS at all? Just make the report to show what the user is supposed to see. Or you want to have a single report (or set of reports), which is shared between the users and they should see only their data? I will assume it is the later one.
I will start with the last question - the effective identity is not a "free text". It must be a valid user name, having rights to access the data, as specified in the documentation:
The effective identity that is provided for the username property must be a Windows user with permissions on the Analysis Services server.
The you can define RLS in your Analysis Service model, by adding a "users security" table, where you specify which rows should be visible to each user. Define relationships between this users security table and other tables in the model, and then let RLS to filter the data in the security table. The relationships with the rest of the model will apply cascade filtering on the data, so only relevant rows will be visible to the user. See Implement row-level security in an Analysis Services tabular model for example.
So the answer of your second question is no, you don't need a separate role for each user, because the filtering is based on the username and for every user it filters the same thing the same way.