My team plans to build a web platform which gathers data in a DB about different crypto transactions. I am planning to use Power BI to get that data from the db and build some reports which will be embedded into the web platform, reports which will be accessed by users who log in in the web platform.
Is this possible, taking into consideration the following aspects?
I want to apply row level security access so that users who log on the web platform will be able to see only data related to them?
Should I assign a Power BI Pro license to each user who registers the platform in order to be able to see the data or is there any other solution to this?
How often may I set-up data refreshes/updates? 30 minutes?
I am looking to apply row level security access and have users access the reports based on their web platfrom login credentials. Hopefully this is possible. I read something about Power BI Report for Customers using App Owns Data. Is this the right solution?
For the App Owns Data, you will be building a portal on top of an embedded capacity. I assume that you will be using an 'A' Sku.
I want to apply row level security access so that users who log on the
web platform will be able to see only data related to them?
Yes you can use RLS to control what users see what data, in an embedded context . (See here)
Should I assign a Power BI Pro license to each user who registers the
platform in order to be able to see the data or is there any other
solution to this?
No, you don't need a PBI Pro license for each user for your platform, this is handled by the capacity. You'll only need Pro for those who are developing the reports. Your other users, handled by your web portal will be 'read only'.
How often may I set-up data refreshes/updates? 30 minutes?
You can set up the report schedule as normal in the portal, up to 48 times per day with a capacity based Power BI Dataset.
I would take a look at the MS documentation here for more details on the what embedded can do, and also capacity planning for your users.
I am a new user of power bi. I am currently using free account of power bi and used share to web feature to share my report publicly.
Using free account i want to share my report with multiple users while stopping my report consumers to re-share the report. If that is not possible using free account then is it possible to buy only one pro account and attain my objective defined above?
Buying multiple pro accounts for each individual is not possible as there would be many consumers of my report. Buying premium account is also not possible as it is too expensive.
The only way to share reports is from Pro User to Pro User, via Workspaces or direct sharing or App. In the sharing options for the report to the other users you can turn off the allow the recipients to share as well. Or you can allow workspace consumers to be read only.
Sharing using the 'Share to Web' function creates a publicly accessible URL, if anyone passes that URL to anyone else, they will be able to see it, and it is NOT secure, and you can't limit/restrict access.
For these use cases, the best solution is to embed the report in an (web) application. Start with Tutorial: Embed Power BI content into an application for your customers.
We would like to empower our power users by giving them a self-service BI option. The issue now seems to be of compliance.
Just to be clear - I'm not a full fledged PowerBI developer or Administrator. From what I know, there is a MyWorkspace and Several Workspaces for the various environment such as Dev/QA/Stage/Production and eventually PowerBI Apps which the Business Users get to use; the artifacts gets published from Dev to Stage to Prod.
Compliance (Audit Team) is concerned that the Power-Users might make unwarranted change in the DataSets, Reports and Dashboards in the Production WorkSpace (Pointing to the Production Database) and publish these to the Apps which will eventually get consumed.
Can others share how they have addressed it in their respective environments?
For a workspace, you can set users to be one of four types, Admin, Member, Contributor and Viewer. For full details of what each role can do, see here.
What you need to to is set users as read only, they will not be able to edit or change any of the items in the workspace. I would also recommend in the Power BI Admin portal setting a defined group that allows people to download, export to pdf and those sort of options to stop users modifying locally on their Power BI Desktop.
In the workspace overview, that list the items in the workspace, go to the 'Access' option, you will then get a list of the users and their current defined roles and the ability to set them to one of the four roles.
I am a newbie self-learning NAV. Some of queries may be foolish ones, hoping to hear from you genius experts!
Really confused with licensing framework.
Queries,
I can identify two types of licenses - Customer license vs Partner license. Customer license is the license for ERP product and includes system functionality packages (starter/extended) and user access(full/limited user). Partner license is what a dev partner subscribes to. There is no relation among those two types, right?
Is a development partner able to make changes to any of the primitive objects (tables/codeunits) that come pre-installed with Starter/Extended pack. Is development partner allowed to modify/enhance the system functionality to any extent?
When a development partner registers with Microsoft, is it given a fixed set of object IDs that it will be using to create new objects? Would it be using same set of IDs for all the customers it would be implementing NAV? So, these IDs are globally unique - no two dev partners be having same IDs?
When I connect to RTC using my domain account,, I act as a Full User under Customer License (I can see my user set as full user under Departments=>administration=>General=>Users). If I connect to NAV DEV ENVIRONMENT, I CAN design almost all the tables, but CAN'T any of the CODEUNITS. So, how does security work on DEV Environment???
License depending on context can refer to two different things:
- Application\Development License
- Client License Type
Application \ Development License
Microsoft Dynamics NAV's license model is built on defining Read,Insert,Modify,Delete and Execute on each object in the database (Table, TableData, Form, Report, Dataport, XMLDataport, Codeunit, MenuSuite, Page, Query) this is true for both End Users, Partners and ISV's.
There are different well known ranges of objects that have different meaning, so depending on what the object numbers are you can assume different parties will have access, they are documented here
Your ability to modify objects will depend on the Object Design Granules you have purchased from Microsoft via your Microsoft Partner, a list of the ones relevent to design can be found at link
Depending on when you Purchased your Microsoft Dynamics License different ones would have been included in your starter pack, most commonly users have:
- 7110 Report and Dataport Designer
- 7120 Form and Page Designer
These provide you the ability to modify code within Reports and Forms, and themselves include objects for modification within the customer license range.
The ability to modify Codeunits is part of the Application Builder granule which not a lot of customers have purchased, would likely explain why you can design some object types and not others.
Microsoft Partners have what is equivalent to the Solution Developer License which allows them to modify protected tables (Ledger Tables for instance) in the Base Application range.
Granules
There are a couple of good resources within the system to get information about what permissions you can expect to have within your NAV Instance. In the Microsoft Dynamics IDE you can access your license file (or you can read it as a text file just ignore when it gets into ASCII at the bottom).
You can use the number and name to lookup what each one is used for Example
There is also a report 10313 License Permissions that you can execute that will provide an overview of the ranges and what specific permissions (RIMDE) you have within your license to each one.
Your Microsoft Partner has access to generate a License Report (Detailed or Summary) this will provide a list of the objects you have purchased and where they have been assigned.
In previous licensing programs like Business Ready Licensing (BRL) you would have had to define and purchase each granule individually.
More recently Microsoft has moved to perpetual and subscription licensing which provides most of the application areas you are likely to use.
Object Assignment
The Design Granules come with access to specific objects, if you require additional access to objects in the database they must be purchased separately and then assigned by your Microsoft Partner.
For Example Purchasing 10 Additional Tables grants you the right to 10 Tables, that then need to be assigned to your License by selecting the specific object id's for tables in your database and adding the security.
Development
There are a couple of main types of parties that do development within a Dynamics NAV instance:
Microsoft Solution Partners
These tend to do customer specific development, this is modifications to existing forms and objects, bug fixes and other items that are likely to only apply to a specific customer.
Most of this type of development is done within the existing Microsoft Dynamics NAV object ranges, or if new objects are created it is done within the Customer Design Area (50,000 - 99,999).
Customers that have the in-house skills can typically also do development in this range, as the permissions are in the Client Range.
Independent Software Vendors(ISV)
these are also Microsoft Partners but they focus on developing solutions for multiple customers that will be installed into an array of database and work in the Certified Partner Design Area (100,000 - 999,999,999) these objects used will be the same for all customers.
A note is that Microsoft Solution Partners, do not automatically have access to modify all ISV object they need to be provided access to the object ranges the same as an end user would, and in some cases maybe unable to modify some objects due to the desires of the ISV (this is rare).
Client License Type
The Full User determines the client license type that is consumed when you connect to the database, and it self does not directly provide security; the Limited user does have a restriction of what it can access.
Your License and Security set-up work together to identify the maximum security that a user can have, as you can add permissions to a user to an object your not licensed for but as the runtime will not have permission they will still get a security error (this is true even for the SUPER role and MS partners that are not licensed for a specific ISV Solution Range).
I can identify two types of licenses - Customer license vs Partner license. Customer license is the license for ERP product and includes system functionality packages (starter/extended) and user access(full/limited user). Partner license is what a dev partner subscribes to. There is no relation among those two types, right?
Partner license in its nature is the same as customer license. It just grants you more abilities, like create objects, fields, modify code of objects. Those applies to objects included in partner license.
Customer license can also include some additional abilities like report designer which allows customers to modify reports (as form Nav 5, dunno if this was changed in latest versions).
Is a development partner able to make changes to any of the primitive objects (tables/codeunits) that come pre-installed with Starter/Extended pack.
Whether or not partner is permitted to modify certain objects is defined by it's license. There may be limitations based on object number. Not sure if there are any but technically it is possible.
Is development partner allowed to modify/enhance the system functionality to any extent?
There are limitations like: you won't be able to delete/insert field from table if field number is in range from 1 to 49999 (so called standard range). But its not critical since you always can create field in your partner range. Actually your partner/customer range is your main limitation. Which could be leveraged by
sending more money to MS ;)
Keep in mind that if you create object in your range, 50010 for example. Your customer must have this range included in his license to use the object. So you both must send more money to MS ;)
When a development partner registers with Microsoft, is it given a fixed set of object IDs that it will be using to create new objects? Would it be using same set of IDs for all the customers it would be implementing NAV? So, these IDs are globally unique - no two dev partners be having same IDs?
Well see this. In short: range 50,000 - 99,999 shared by partners, certified partner can by a range of objects from 100,000 - 999,999,999 and have it reserved solely for him.
When I connect to RTC using my domain account,I act as a Full User under Customer License (I can see my user set as full user under Departments=>administration=>General=>Users). If I connect to NAV DEV ENVIRONMENT, I CAN design almost all the tables, but CAN'T any of the CODEUNITS. So, how does security work on DEV Environment???
Not sure what you mean by "security". Access to data is restricted by user rights setup. Access to objects is restricted by license.
In Nav before RTC there were special user rights to allow access to object designer (which is now all that left in Dev Env). As for now I suppose you have to grant that user db_owner role on the database to access Dev Env.
I am entirely new to MS Dynamics and have inherited an MS Dynamics environment with my new job. I replaced an employee who had sole ownership and knowledge about the Dynamics set up.
So I am slowly going through all the database tables and fields attempting to learn.
I have come across a problem which is, when I attempt to open a Timecard Correction module I get an "You do not have proper access rights for this screen" message.
Would someone kindly describe to me what I must do in order to be able to access this screen using my user account?
Note that I have access to the SQL Server databases. And I could only find a "Database Maintenence" application for Dynamics as well as the end user application.
FYI this is what I see when I open MS Dynamics.....
Does anyone in your organization have access to this? If so, then you can check that user's privileges and apply them to your own login. It could be a license issue if no one can access it. In that case, you may have to contact your Microsoft partner that you purchased NAV from to get proper licensing. Good luck.
It was privileges in the end - I found a SYSADMIN account and that did the trick!
thanks.