I have a Power BI workbook that I have created in Desktop. It sources from a SQL Server database. I can access this database with account x. My Azure tenant admin has created a data source for this database in our gateway (within the Power BI service), and I have access to this gateway. The admin supplied account y in connecting to this data source. How does this work when I go to refresh the dataset that this workbook creates when I publish it to the service? That is, when I schedule a refresh on the dataset, will it dial into the SQL Server database using account y provided in the data source definition (virtually ignoring / dropping account x's credentials)?
Yep. That's exactly how it works. The automated refresh will use account 'Y.'
Data sources that have been deployed to some hosted location will almost always disregard the credentials used to create the dataset and instead use credentials that are specifically supplied for the refresh. These 'service' accounts will typically have different rules about password resets, have the lowest appropriate levels of access, and be under the prevue of system administrators rather than report authors. Its a very standard practice. It protects against misuse, error, loss of accounts, and segregates actual user activity from automated behaviors in the logs.
However, it is a little odd to me that your admin 'created the datasource' -- is that correct? Or did the admin just wire up the gateway to the datasource that was deployed when you published?
If you want to use a datasource that is already published, then you need to connect to that datasource from PowerBI desktop. Otherwise you'll be pushing out something new that has nothing to do with the resources that your admin created.
Related
Link: https://learn.microsoft.com/en-us/power-bi/connect-data/desktop-directquery-about#security
The article mentions
DirectQuery allows for a report viewer's credentials to be passed
through to the underlying source and security rules to be applied
there. Single sign-on is supported to SQL Azure datasources, and
through the data gateway to on-premises SQL servers.
This implies that report viewers credential is used to query underlying data.
Where as further down it contradicts this:
As discussed earlier in this article, a report in DirectQuery always
uses the same fixed credentials to connect to the underlying data
source, after it's published to the Power BI service. This behavior
applies to DirectQuery, not to live connections to SQL Server Analysis
Services, which is different in this respect. Immediately after
publish of a DirectQuery report, it's necessary to configure the
credentials of the user that will be used. Until you configure the
credentials, opening the report on the Power BI service would result
in an error.
Once the user credentials are provided, then those credentials will be
used whichever user who opens the report. In this way, it's exactly
like imported data. Every user sees the same data, unless row-level
security has been defined as part of the report.
Does direct query connect to sql server using gateway credential or report viewer credentials?
That doc is out-of-date. Single-Sign On (SSO) is available as an option for many cloud and on-prem data sources, including SQL Server and SSO is required for DirectQuery to Power BI Datasets.
All connections to remote Power BI Datasets models are made using
single sign-on.
Using DirectQuery for Power BI datasets and Analysis Services
We are a SaaS provider and would like to open up our data to clients through Power BI. Our solution is hosted in AWS with an RDS database and we plan to make the database available through a Power BI Gateway to RDS.
I am currently trying to work out a way to give my clients the ability to (a) design their own dashboard/reports and (b) embed these reports in our web app.
The plan is to embed reports into the webapp is by using the “Embed for your Organisation” approach where the users require a Power BI Pro account.
The key question I have is around managing the Gateway, data sources and data sets. Technically my company will host the Power BI GW in AWS and the idea was that we register the PowerBI GW in our account. Ideally we would then give client users access to either the data source itself or a data set based on it. However when trying to give access to a user of another organisation to either, then I get an error message saying “One or more users were not found within your organization.“.
I read about B2B Guest access but is pretty unclear to me and my first tests were not successful.
Can anyone point me to a reasonable architecture or approach for this?
Please note that for cost reasons, we want to avoid Power BI Premium and Capacities and cost is a constraint.
Context
I need to start sharing Power BI reports with other users (all users are Power BI Pro licenses).
Reports will be in live connection with an Analysis Services and my original data source are on-premise, therefore, I need to install a gateway to transfer data into the cloud.
Question
We already have a capable server for installing the gateway, therefore, my questions are:
Is it wise to install a Gateway VM on that server even though the server is used for other applications?
I don't have access to Power BI Admin Portal and it is tricky to get access to it since we are a very big company all over the world. Can I use an on premises data gateway without a Power BI Admin account? (While installing gateway just adding my account as admin)
I have a BigQuery table that references a Google Sheet document that my service account can't access. Currently getting
"Error: Not found: Files /gdrive/id/xxxx"
I'm using the NodeJs 3.0.0 client library to access the BigQuery API.
The service user account has Data Editor, Job User and User rights on BigQuery and I have explicitly shared the google sheet to the service account.
For clarity, the user account has no issues querying other tables that it has access to, just a bunch of these external tables.
Any thoughts on what else I might need to do?
After going back through this from the start it turns out the issue was due to Google Doc editor being disabled at an organisation level. This affects both normal users and service accounts. Also ensuring that Domain-wide delegation was in place heped resolved this.
I've connected to an on premises SSAS data source with Power BI Desktop and could successfully publish to the web.
I would like to share the datasets themselves with users outside my organisation so that they can drag/drop the dimensions/measures and create reports and dashboards or reports that they would like to see.
From what I've read it's only possible to share preconfigured dashboards and reports with users outside my organisation. Could someone please tell me if it is possible to share the datasets themselves with users outside my organisation?
If you help the external company setup an On premises data gateway on a VM in your network and help them get it connected to your cube the the external users can publish the Power BI Desktop report to their Power BI tenant. Is there role based security in your cube that would apply to external users? If so you will need to setup an alternate UPN suffix and user accounts for the external users on your domain as described here. Or you could setup user mappings to use CustomData to pass their username in to your cube that way. With CustomData you change your SSAS roles to have only a service account as a member (not real users) then use the CustomData() MDX function in the dynamic security MDX expressions.
The whole scenario is described more fully here. Though I was talking about hosting in Azure with VMs joined to AAD Domain Services, you could so it with alternate UPN suffixes or CustomData in a regular Active Directory domain.
If your model is Tabular then Azure Analysis Services may greatly simplify the matter. If that's of interest let me know.