I have created a Dataflow in power bi service. Now my client's requirements is that they want to take the data from the dataflow as per the roles. There is a user table where roles are already defined. My question is that without the relation between tables, how I am supposed to filter the data from all the tables? Is it possible at all? Or how can I make relationship of the tables in dataflow? Or any alternate procedure to take the data from dataflow as per the roles. Help me pls. Thanks in advance.
If your data supports it, for example some sort of mapping between the user and the data they are allowed to see, you will need to use Row Level Security to restrict what the end users see in the report. You will make the relationship between your dataflow and mapping table in Power BI, not the dataflow.
If you mean restricting access to the data in the dataflow based on their role, for example the user creates a report it only loads what they are allowed to see, then this functionality is not supported.
Hope that helps
Related
Our goal is to query a dataset that is published to PowerBI via the REST APIs ( https://learn.microsoft.com/en-us/rest/api/power-bi/datasets/execute-queries ). I'm not talking about the metadata of the dataset, I mean the row-level data contained within the tables in the dataset.
We are going to write a service (probably on prem) that will need to query this data, format it, and push it to another system. From what we understood, we could use a service principal as the identity to query the PowerBI API and retrieve the data.
The very important factor in this, is the service principal should not have access to the row level data of any other dataset. If we have to separate the datasets in a different workspace, that is workable, but not preferred.
Service Principal can be used to access that PBI API. It will have access to the data only if it has authorization on that workspace. So you need to separate workspace in order to manage the access of the dataset.
Sample in postman
From my experience, PowerBI execute DAX query can be quite slow. So do keep that in mind if your integration will require a quick response of PBI API.
I am working on a PowerBi project and I need some advice/questions on the best way to approach this project. I am tasked to create a dashboard for employee metrics pulled from an onsite SQL Server database. The managers here are going to have access to the PowerBi cloud, so I will end up uploading this to the cloud. There are 10 or so metrics that need to be shown on the dashboard. We have 5000+ employees. My first thought was to create a table and dump all the metrics into a table and set the PowerBi report to import the data, but that seems excessive and a waste of space to upload all that data to the CLOUD because all of the managers don't need access to every employee. They may want to see 1 or 2 employees' metrics on the dashboard.
My second thought is to (and if this is possible) create a stored procedure that will take the employee id and output a dataset for PowerBi to create a visual for. On the dashboard, have a list of employees and when a manager selects one, PowerBi will call the stored procedure with the employee id and the dataset will be returned for PowerBi to decipher into a visual based on my measurements. I guess I would set the PowerBi report connection type as DIRECT QUERY?
Here are my questions:
Is this possible? Is it possible to what I am thinking for my second plan? Is this how DIRECT QUERY works?
If so, how does DIRECT QUERY work with the PowerBi cloud?
What is setup like? Do I just install the PowerBi Data Gateway/configure it like IMPORT DATA and PowerBi does the rest?
A couple of queries:
What is the frequency of data update ?
In case if it is a batch job, it is ideally preferable to import that data from source into powerbi model and do reporting on the imported data as
a) The performance would be quicker
b) There would be no to and for of data across on prem database and cloud
c) the source would not be impacted constantly
So is the ask to have RLS wherein the managers should see only the employees under them?
Then it is pretty easy to implement RLS in imported version rather than in case of direct query.
Also you won't be able to pass parameters to stored procedures, and you can't execute them in direct query mode. You can however, create table valued functions which give you the ability to use table variables and perform other functions that are more complex in nature in Direct Query mode
you can refer this for additional details :
https://community.powerbi.com/t5/Desktop/Can-i-call-Stored-Procedure-with-Direct-Query/m-p/267141#:~:text=%40Pallavi%20you%20won't%20be,nature%20in%20Direct%20Query%20mode.
I would like to allow users privileges by region with PBI DAX expression implementation to first get USERPRINCIPALNAME then proceed to get their region.
User Table:
Scenario:
When Shaun login to powerBI service. He only can view the dashboard and dataset in region R10.
If you have multiple tables you want to control with dynamic security, you might prefer an approach based on the propagation of the security filters through the relationships instead of using a DAX expression for every table you want to filter.
What we have to do is to create a new role and use this code to apply security filter for the user table :
[EMAIL]= USERPRINCIPALNAME()
The second thing to do is to apply bi-directionnal filtering for the relationship betwen user_region and region.
I am wanting to know how secure Row-Level Security is.
We are currently working on creating a dashboard that would be shared with 500 users within our organisation. All of these users are managers and we would be using dynamic row-level security so that each user would only be able to view information in the dashboard related to their own team.
I have tested RLS and it worked fine, but I have had another Power Bi user tell me that RLS is not completely secure as my base data is coming from excel. My base data is in excel, but I convert it into a pbix file in Power Bi desktop before creating the role, then publishing to power bi service, where I assign users to the role and give read only access.
I am wondering once I have shared the dashboard with these users is there any way for them to get around the RLS and access the base data?
Thanks in advance,
Amy
There are a number of factors to consider for imported data.
If the user can download the report, they could remove the role and access all the data. I would recommend turning this off in the Power BI Admin protal for selected users, or an AD group.
They could connect to the dataset via Excel or another report and get the data that way without the role level filter being used. Having them as read only is one way of stopping them altering the report. I would suggest deploying the report as an app, then they can only access the surfaced report not the underlying dataset.
I'm kind of new to PBI and I'm looking if it's the right tool for my case.
I would like to use Power BI Embedded in a web application for our customer (where they're logged in) which do not have any Power BI account/licence.
The database on which the reports are based are on-premise so we're would use Analysis Service Live Connection to access them.
Each customer should have his own report.
Is it possible to use RLS in that case?
Does that mean we've to create a role for each of them?
What username should be given in the EffectiveIdentity? Is it 'free text' that is used by PBI to get the username in the DAX?
If each customer will have his own report, then why do you need RLS at all? Just make the report to show what the user is supposed to see. Or you want to have a single report (or set of reports), which is shared between the users and they should see only their data? I will assume it is the later one.
I will start with the last question - the effective identity is not a "free text". It must be a valid user name, having rights to access the data, as specified in the documentation:
The effective identity that is provided for the username property must be a Windows user with permissions on the Analysis Services server.
The you can define RLS in your Analysis Service model, by adding a "users security" table, where you specify which rows should be visible to each user. Define relationships between this users security table and other tables in the model, and then let RLS to filter the data in the security table. The relationships with the rest of the model will apply cascade filtering on the data, so only relevant rows will be visible to the user. See Implement row-level security in an Analysis Services tabular model for example.
So the answer of your second question is no, you don't need a separate role for each user, because the filtering is based on the username and for every user it filters the same thing the same way.