PlymouthRock

My feedback

  1. 13 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    PlymouthRock supported this idea  · 
  2. 2 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Power BI Ideas » APIs and Embedding  ·  Flag idea as inappropriate…  ·  Admin →
    PlymouthRock supported this idea  · 
  3. 1,008 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    88 comments  ·  Power BI Ideas » Dashboard  ·  Flag idea as inappropriate…  ·  Admin →
    under review  ·  Sirui Sun responded

    Hey all!

    We’ve continued to make progress here, so I wanted to update this thread with our current capabilities for maintaining security on dashboards/reports.

    As always, all of this information can be found in our Row-Level Security (RLS)documentation: https://powerbi.microsoft.com/en-us/documentation/powerbi-admin-rls/

    > If you have set up RLS in Analysis Services, Power BI will send the signed-in user’s credentials to Analysis Services, and respect the RLS rules set up on the on-premises model.

    > Separately, you can set up RLS in Power BI for data sources that you import or connect to via DirectQuery. This process starts in PBI Desktop, where you define roles, and write DAX to constrain what data these roles can see. As part of this process, can you use the UserPrincipalName() DAX function to get the current signed in user’s UPN (e.g. joe@contoso.com). Then, once you publish to service, you can assign users to these…

    PlymouthRock commented  · 

    We've implemented RLS using DAX. The queries run 10 times slower. It appears that all of the data is returned to the client and then DAX filters it. To get the performance we need, we have to have the identity passed through to SQL Azure RLS via session_context.

    PlymouthRock commented  · 

    Hi Sirui,

    Any update on identity pass through to Azure SQL. We know it is under consideration, but we need to know if it will be implemented.

    Thanks,

    Tim

    PlymouthRock commented  · 

    This is also a deal breaker for us. We currently are working on a Multi-Tennant enterprise app using RLS in SQL Azure. All of our security is defined with Security Predicates in the database and we are adding the User ID in session context in our web application.

    We have started testing PowerBI embedded with Direct Query. With the ability to set User data in the Access Token, it shouldn't be that difficult to have PowerBI set session context after it connects to the database.

    It should be configurable to allow the developer to set any session context variable they choose.

    This would keep security where it belongs in the SQL database.

    PlymouthRock supported this idea  · 
  4. 291 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    30 comments  ·  Power BI Ideas » Desktop  ·  Flag idea as inappropriate…  ·  Admin →
    PlymouthRock supported this idea  · 
  5. 19 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    PlymouthRock supported this idea  · 
    PlymouthRock commented  · 

    Excellent Idea. We are trying out PowerBI embedded to an Azure database that has RLS implemented via Security Policies and SESSION_CONTEXT.

    I don't think you would need to modify the connection string for User Id. The User Id value could be passed in the Access Token passed into the report execution.

  6. 57 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  Power BI Ideas » Data Sources  ·  Flag idea as inappropriate…  ·  Admin →
    PlymouthRock commented  · 

    SQL Server 2016 has row level security with the use of Security Profiles and Session Context. If PowerBI could set a session context variable after connecting with Direct Query then RLS would be properly applied in SQL Server and not PowerBI.

    We could set the approriate session context variable as part of the Assess Token passed to the embedded report.

    PlymouthRock supported this idea  · 

Feedback and Knowledge Base

Ready to get started?

Try new features of Power BI today by signing up and learn more about our powerful suite of apps.