Move UPN mapping configuration to Enterprise Gateway level
Currently the UPN mapping configuration has to be set per data source.
Let's say you have: 2 SSAS data models, you make a data source for each data model and a group of 30 users who have access to both data models.
Then you are currently forced to duplicate the complete UPN mapping configuration for these 2 data sources in the gateway.
Correct administration of the duplicate UPN mapping configurations will be very difficult.
It would be better to make the UPN mapping configuration an Enterprise Gateway level configuration.
I thought about making it a tenant-wide configuration, which makes sense. But you would need to make sure that only tenant admins can edit the configuration.
Jonas Winther commented
We are currently manually mapping UPNs in 7 data sources in the gateway - apx 20 users per source. This will soon be 100 users, and possibly 10-15 data sources. Not optimal.
We have different user name AND domain mapping, so each name has to be written out fully.
1) Make a better mapping engine. Right now is stops after one correct mapping, and since we have to map both name and domain, I can't simplify thing with e.g. wildcards "*"
2) Make it possible to import a mapping table from e.g. Excel/.csv. It is quite bad you have to type in everything manually when creating a new data source.
David Belton commented
We need to use UPN mapping in our Enterprise Gateway for standard SQL Server connections. Perhaps moving the mapping to the gateway level would solve this issue for us too?
We have many users that want to connect to our SSAS but we do not want to put them on our local domain controller. We only want them to have Azure AD. In order to give them access to the cubes and apply permissions properly, we need to use CUSTOMDATA(). The "Map User Names" feature seems to do what we need but we have a few issues with it. (A) It requires all the usernames to be entered manually into each gateway connection. This is a lot of manual work. Being able to do this from the REST API would really help us streamline this process. (B) The mapping seems to take only the first rule that applies. I'm not sure if this is by design. The documentation doesn't explain it. We would like to be able to apply multiple rules to the same username so that we can map it to multiple permissions (e.g. location, department etc.)
Thanks for the suggestions and comments. I can see how this feature can make a lot of scenarios easier to maintain and manage. We'll consider it in future updates, but it's not currently on our immediate backlog.
Having some way to script UPN mapping would be useful regardless of whether it is at the gateway or data source level.
[Deleted User] commented
Good idea. As user I understand this situation. Last period they must make corrections and the error was taking me!
Marc Cozijnsen commented
Great Idea's. We have in our organization multiple gateways and maintaining the UPN mapping is costing a lot of time and also a higher risk for making errors in the repeating manual job.
Tony Valentine commented
I would love to see it at both the gateway and data source level, with the data source level overriding anything at the gateway level. This way if for some reason you did need different mappings per data source, then you could still do it.