We currently host data for multiple users in our database. I'd like to implement embedded power BI into our web app. When the user logs into our system, I'd like the data source to be filtered according to the user that is logged in, so e.g. SELECT * FROM Table1 WHERE ItemID in (ItemID1, ItemID2) etc..., we aren't going to know what ItemID1, ItemID2 etc... are until after the user has logged on.
Is this possible with PowerBI embedded?
To filter data for Power BI users based on which user is logging in to the embedded web app, complete the following:
Sample:
Create a table to store the usernames for each filter "group."
You will use DAX to create a measure to identify the users from your table, and assign them to a specific user role group. Below is the DAX to use:
[USERNAME] = [Current User]
Create the measure described in point #2 in the Row-Level security settings. By creating different "groups" for the users, you are essentially dynamically-building a "filter," where you only show the users what they should be seeing--thus resulting in pseudo-filtering. For more information see the following:
https://learn.microsoft.com/en-us/power-bi/desktop-tutorial-row-level-security-onprem-ssas-tabular
http://community.powerbi.com/t5/Service/Restricting-filters-to-specific-users-in-Power-BI-report/td-p/109111
Hope this helps!
Related
I would like to allow users privileges by region with PBI DAX expression implementation to first get USERPRINCIPALNAME then proceed to get their region.
User Table:
Scenario:
When Shaun login to powerBI service. He only can view the dashboard and dataset in region R10.
If you have multiple tables you want to control with dynamic security, you might prefer an approach based on the propagation of the security filters through the relationships instead of using a DAX expression for every table you want to filter.
What we have to do is to create a new role and use this code to apply security filter for the user table :
[EMAIL]= USERPRINCIPALNAME()
The second thing to do is to apply bi-directionnal filtering for the relationship betwen user_region and region.
I am wanting to know how secure Row-Level Security is.
We are currently working on creating a dashboard that would be shared with 500 users within our organisation. All of these users are managers and we would be using dynamic row-level security so that each user would only be able to view information in the dashboard related to their own team.
I have tested RLS and it worked fine, but I have had another Power Bi user tell me that RLS is not completely secure as my base data is coming from excel. My base data is in excel, but I convert it into a pbix file in Power Bi desktop before creating the role, then publishing to power bi service, where I assign users to the role and give read only access.
I am wondering once I have shared the dashboard with these users is there any way for them to get around the RLS and access the base data?
Thanks in advance,
Amy
There are a number of factors to consider for imported data.
If the user can download the report, they could remove the role and access all the data. I would recommend turning this off in the Power BI Admin protal for selected users, or an AD group.
They could connect to the dataset via Excel or another report and get the data that way without the role level filter being used. Having them as read only is one way of stopping them altering the report. I would suggest deploying the report as an app, then they can only access the surfaced report not the underlying dataset.
I'm kind of new to PBI and I'm looking if it's the right tool for my case.
I would like to use Power BI Embedded in a web application for our customer (where they're logged in) which do not have any Power BI account/licence.
The database on which the reports are based are on-premise so we're would use Analysis Service Live Connection to access them.
Each customer should have his own report.
Is it possible to use RLS in that case?
Does that mean we've to create a role for each of them?
What username should be given in the EffectiveIdentity? Is it 'free text' that is used by PBI to get the username in the DAX?
If each customer will have his own report, then why do you need RLS at all? Just make the report to show what the user is supposed to see. Or you want to have a single report (or set of reports), which is shared between the users and they should see only their data? I will assume it is the later one.
I will start with the last question - the effective identity is not a "free text". It must be a valid user name, having rights to access the data, as specified in the documentation:
The effective identity that is provided for the username property must be a Windows user with permissions on the Analysis Services server.
The you can define RLS in your Analysis Service model, by adding a "users security" table, where you specify which rows should be visible to each user. Define relationships between this users security table and other tables in the model, and then let RLS to filter the data in the security table. The relationships with the rest of the model will apply cascade filtering on the data, so only relevant rows will be visible to the user. See Implement row-level security in an Analysis Services tabular model for example.
So the answer of your second question is no, you don't need a separate role for each user, because the filtering is based on the username and for every user it filters the same thing the same way.
I'm using the power bi embedded Row Level Security. According to the documentation given here we need to add a role in the power bi desktop and use a DAX expression like [ColumnName] = USERNAME(). So that this filter will work when the user has that particular role.
My question is is there any chance to use the DAX expression anywhere to filter data using the Username directly?
Thanks in advance
Accessing usernames
If User owns data is used for embedding, then while authenticating, the username is accessible in the code.
Or, even if using App owns data, if you authenticate your users while accessing your portal, then you can get the username while authentication.
Below is an example on JS
oCommon.authContext.getCachedUser();
Below is an example in C#
HttpContext.Current.User.Identity.Name;
Filtering in the embedded report
Further, by using filtering capabilities of Power BI embedding, the report can be filtered on the username value fetched during authentication.
Avoid flickering
You will be able to apply the filter after the report embeds, if you use powerbi.embed().
Instead use the concept of phased embedding, where before the report even renders, you can apply the filter. So apply the filters after load() and before render(). This will avoid the flicker that you may have with filtering after powerbi.embed().
I need to show data only for logged in user in PowerBI. He is manager and in drop down i want to show list of employees under him. Also, only load for all employee whose manager is logged in user
We have more than 1 million rows for a day, so I want to hit database only for logged in username, Also, date parameter will be used from UI.
let
Source = Sql.Database("10.3.13.217", "TimeQSupport", [Query="DECLARE #StartDate date, #EndDate date,#UserName varchar(255);#(lf)SET #StartDate='" &DateBegin& "';#(lf)SET #EndDate='" &DateEnd& "';#(lf)SET #UserName='Gurminder'#(lf)execute usp_getTimeQeyDataPowerBI #StartDate=#StartDate, #EndDate=#EndDate, #UserName=#UserName#(lf)#(lf)"])
in
Source
Screen shot of powerBI views.
Are you viewing the report in PowerBI.com or using an embedded view of PowerBI?
From your question i assume you are using direct query, when using direct query to SQL Azure, you can get data filtered on the SQL server level using single-sign-on (as described in https://learn.microsoft.com/en-us/power-bi/service-azure-sql-database-with-direct-connect), this is only supported for SQL Azure, and only when using PowerBI.com (not PowerBI embedded).
Alternatively - you can switch to imported data (and refresh the data upto 8 times a day), this will allow you to set row-level-security on the dataset using PowerBI desktop (see https://learn.microsoft.com/en-us/power-bi/service-admin-rls)