Power BI Embedded Row Level Security - powerbi

I'm using the power bi embedded Row Level Security. According to the documentation given here we need to add a role in the power bi desktop and use a DAX expression like [ColumnName] = USERNAME(). So that this filter will work when the user has that particular role.
My question is is there any chance to use the DAX expression anywhere to filter data using the Username directly?
Thanks in advance

Accessing usernames
If User owns data is used for embedding, then while authenticating, the username is accessible in the code.
Or, even if using App owns data, if you authenticate your users while accessing your portal, then you can get the username while authentication.
Below is an example on JS
oCommon.authContext.getCachedUser();
Below is an example in C#
HttpContext.Current.User.Identity.Name;
Filtering in the embedded report
Further, by using filtering capabilities of Power BI embedding, the report can be filtered on the username value fetched during authentication.
Avoid flickering
You will be able to apply the filter after the report embeds, if you use powerbi.embed().
Instead use the concept of phased embedding, where before the report even renders, you can apply the filter. So apply the filters after load() and before render(). This will avoid the flicker that you may have with filtering after powerbi.embed().

Related

Work with Power BI Matrix taking data from DAX statement

I have the following requirements:
The user will see a Power BI Matrix on a web page (as opposed to Power BI Desktop).
The web page should have three elements: a text field, a button and the Power BI Matrix (potentially included in a Power BI Report).
The user will enter the DAX statement in the text field and click on the button to direct the Matrix to take the DAX statement, execute it, and populate the data.
The user should be able to drill down in the Matrix.
The user may reenter a new DAX statement, refreshing the Matrix.
Now, all the documentation I could find, for example here, talk about the Matrix in Power BI Desktop (i.e. not web page) and the data taken by selecting manually tables/columns/measures (on the right side of the screen).
In Power BI Studio, I know that I can enter a DAX statement by creating a table in the top bar, for example if I have the DAX:
EVALUATE TOPN (3, branches)
I could create a table to populate the Matrix with:
BranchesTable = TOPN (3, branches)
But how to dynamically link a DAX statment defined at run-time to a Matrix on a web page?
This is not currently possible to do exactly what you want. You can dynamically change a data source and update the query used in a specific report but there isn't an API available (PowerBI REST or PowerBI JavaScript) to update what columns are on a visual in a report. You can get pretty close to what you want but the report cannot be displayed in View mode and it will have to be displayed in Edit mode so the user will have the ability to drag the fields generated from their updated DAX query results onto the Matrix visual manually if they submit a change.
Assuming you already have the pre-requisite App Registration setup and configuration completed and your ready to embed here are some steps to get close to what your looking for. If your not ready to embed there is some documentation below the 8 steps I provided to complete the pre-requisite setup to be able to embed.
Using PowerBI Desktop Create a template report that has a matrix visual and a connection to the data source you want to use. Be sure to set this report up using a specific query and NOT all tables in the data source whether its SQL or SSAS. (You specify the query under advanced options when you initially setup the data source in the report)
Setup a Power BI Data Gateway to the Data Source your report uses
Create a workspace on PowerBI.com to upload the report to
Using PowerBI desktop Publish the report you created in step 1 to the workspace you created in step 3
On your Web Application, when a user views the report viewer page, you need a way to identify each user. Lets assume you have UserId field that is a unique ID for each user. Call GetReports in group https://learn.microsoft.com/en-us/rest/api/power-bi/reports/getreportsingroup. You need to have a known report name plus the UserId. Lets assume its DynamicReport. So call GetReports and check if DynamicReport_UserId exists for the user trying to view the report viewer page in your web application.
In that API calls result from step 5, if the report does not exist for a user, use https://learn.microsoft.com/en-us/rest/api/power-bi/reports/clonereport to clone the template report you published in step 4.
Embed and display user specific template report (DynamicReport_UserId) for the user.
Have logic on the report viewer page so the user can submit and POST a DAX query. When they do a submit have logic to use https://learn.microsoft.com/en-us/rest/api/power-bi/datasets/updatedatasources on the back end to update the data source in their report and then embed the report again with their DAX statement and changed data.
The visual isn't going to automatically update to the new fields from the new query that is submitted by the user but the available data fields they have in editor mode will change. The user will have to drag and drop the fields from their DAX query onto the Matrix visual or whatever visual type they are going to chose to use. You won't be able to just display a report in View mode since you don't have a way to programatically update what fields are on visual. The user may even end up seeing a broken visual initially because of the changed query and the visual referencing fields from the previously used query. You could use PowerBI Javascript API to hide the existing visual to improve the user experience of the user not seeing something broken.
Let me know if you have any specific questions about these API calls or how to use them.
Here is where I've been looking for the Power BI JavaScript functionality https://github.com/Microsoft/powerbi-javascript/wiki (Can't find anything specific to matrix Visuals. The JavaScript functionality for visuals generic to Visuals and not Visual Type like Matrix or Card)
Here is Microsoft's documentation on the available REST APIs and https://learn.microsoft.com/en-us/rest/api/power-bi/
Here are some good resources to learn more about embedding
https://learn.microsoft.com/en-us/power-bi/developer/embedded/register-app
https://learn.microsoft.com/en-us/power-bi/developer/embedded/embedding
If you need drill down capability Hierarchies are a great option
https://spreadsheeto.com/power-bi-hierarchy/

Using RLS with Analysis Service Live Connection in a PBIE "App Owns Data" scenario

I'm kind of new to PBI and I'm looking if it's the right tool for my case.
I would like to use Power BI Embedded in a web application for our customer (where they're logged in) which do not have any Power BI account/licence.
The database on which the reports are based are on-premise so we're would use Analysis Service Live Connection to access them.
Each customer should have his own report.
Is it possible to use RLS in that case?
Does that mean we've to create a role for each of them?
What username should be given in the EffectiveIdentity? Is it 'free text' that is used by PBI to get the username in the DAX?
If each customer will have his own report, then why do you need RLS at all? Just make the report to show what the user is supposed to see. Or you want to have a single report (or set of reports), which is shared between the users and they should see only their data? I will assume it is the later one.
I will start with the last question - the effective identity is not a "free text". It must be a valid user name, having rights to access the data, as specified in the documentation:
The effective identity that is provided for the username property must be a Windows user with permissions on the Analysis Services server.
The you can define RLS in your Analysis Service model, by adding a "users security" table, where you specify which rows should be visible to each user. Define relationships between this users security table and other tables in the model, and then let RLS to filter the data in the security table. The relationships with the rest of the model will apply cascade filtering on the data, so only relevant rows will be visible to the user. See Implement row-level security in an Analysis Services tabular model for example.
So the answer of your second question is no, you don't need a separate role for each user, because the filtering is based on the username and for every user it filters the same thing the same way.

How to implement security in Power BI embedded code?

I have one Power BI file that needs to be embedded in the Power App Portal using Power BI embedded code (iFrame code). I am filtering the iFrame code by applying query parameter filter in the Embedded URL.
The issue is that the value of query parameter can be changed by any end-user who is aware of the value.
For example, if we are passing user id in query string, another user id who knows the values can also change the user id in the same query string.
My question is how to securly pass the parameter in the P-BI embedded? Is there any special encryption method so that the parameter value is encrypted at end user to avoid changing the user ID
You need to implement RLS (Row Level Security). That way, users logging in to view the iFrame will see only data he is supposed to view. You will have to configure roles in power bi-level to determine how data access is determined for each user.
Read This to find out more about RLS.

Connecting Reports to Web APIs with Parameters

I have a client that has a large number of customers, and I have reports that can accept parameters and pass to a REST-based Web API to pull, for example, customer-specific records. This, of course, is easy using Power BI.
The challenge is, there could literally be 500,000 records out there, so filters and passing filters is not really an option. What I need to do is pass a value via Power BI Embedded to the report that will update the parameter of the Web API dynamically.
Such as https://services.server.com/api/customers/{customerId}
.
I have read and experimented with about every technique possible, and yet I still can't seem to pull this simple (and common) scenario off. To confirm, this is would work fine if I allowed a user to filter these values manually, but the goal is to have the Web.Content value be dynamic (like via a parameter) and then the parameter (like CustomerId) get fed to the report externally, like in a Power BI embedded parameter to the report.
Again, this can't be a filter, I just want to do what you used to be able to do with SSRS or Crystal Reports and send something like {parameter} = (or eq) '{some value}' and have the report use that as the datasource JSON feed.
Any thoughts on this frustrating situation?
You can do this with RLS:
https://learn.microsoft.com/en-us/power-bi/developer/embedded-row-level-security
Bring all the 500,000 records to your pbix.
Define a role which will filter based on an username.
When embedding, pass the role and the desired username to the embed token.

Filter data in power BI embedded

We currently host data for multiple users in our database. I'd like to implement embedded power BI into our web app. When the user logs into our system, I'd like the data source to be filtered according to the user that is logged in, so e.g. SELECT * FROM Table1 WHERE ItemID in (ItemID1, ItemID2) etc..., we aren't going to know what ItemID1, ItemID2 etc... are until after the user has logged on.
Is this possible with PowerBI embedded?
To filter data for Power BI users based on which user is logging in to the embedded web app, complete the following:
Sample:
Create a table to store the usernames for each filter "group."
You will use DAX to create a measure to identify the users from your table, and assign them to a specific user role group. Below is the DAX to use:
[USERNAME] = [Current User]
Create the measure described in point #2 in the Row-Level security settings. By creating different "groups" for the users, you are essentially dynamically-building a "filter," where you only show the users what they should be seeing--thus resulting in pseudo-filtering. For more information see the following:
https://learn.microsoft.com/en-us/power-bi/desktop-tutorial-row-level-security-onprem-ssas-tabular
http://community.powerbi.com/t5/Service/Restricting-filters-to-specific-users-in-Power-BI-report/td-p/109111
Hope this helps!