Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Join us for an expert-led overview of the tools and concepts you'll need to become a Certified Power BI Data Analyst and pass exam PL-300. Register now.

Reply
programthings
Frequent Visitor

Power Bi Embedded Dynamic Row Filtering with SQL Server and App Owns Data

‎04-19-2021 06:23 AM

tl;dr all of this already works so why doesn't the api endpoint support passing parameters to the role instead of requiring manual definition unless i'm just not finding the documentation of how row level filtering on a column is supposed to be achieved?

 

 

As my subject mentions, I am using the "App Owns Data" to embed reports for my customers. The data is stored in a SQL Server database. 
I am using RLS and want to be able to do it dynamically. So that a finished report doesn't need to be updated with new role information as customers are added or removed. I just want to be able to filter a column with one or more values in the embed token itself for obvious security reasons.

I am able to acheieve this manually  by creating the role as shown in my attached image. The role name is the same as the value name since they are unique to each of my customers.

programthings_0-1618838337946.png

 

 

So obviously this is achievable, but the 2 dynamic solutions to this i've been able to find require paying extra for Azure Analysis Services or make my customers have to create their own accounts with microsoft which means that microsoft now receives my individual customer data which seems to fly in the face of the "App Owns Data" intention.

The On-Premises Gateway connector clearly supports the ability to filter columns since it works via the manual way!

This leads me to believe I must just be unable to find the instructions of how to specify a column and array of values to filter it at the point of token creation, because everything thing needed to accomplish this is already in use!


Create a function called apiParameters() which can be used similarly to username() and userprincipalname()

"Role Name" [Column] = "manual string"

would be

"Role Name" [Column] = apiParameters()

 

request body would look like this...

 

...
  "identities": [
    {
      "username": "john@contoso.com",
      "roles":  [
        "RoleExpectingParameters": [
          "Param1",
          "Param2"
        ],
        "ManuallyCreatedRole" 
      ],
      "datasets": [
        "cfafbeb1-8037-4d0c-896e-a46fb27ff229"
      ]
    }
  ]
...

 

This would also ensure parameters couldn't be passed unless the report designer intended for that to be allowed by creating a role with apiParameters() as the value

Message 1 of 2
405 Views
0
1 REPLY 1
Anonymous
Not applicable

‎04-21-2021 12:46 AM

Hi @programthings ,

Based on my investigation, we can use DAX function USERNAME() or UserPrincipalName() or the CUSTOMDATA() function to implement dynamic RLS when the models with live connection mode that lie in Azure Analysis Services can use, I have not been able to find other way to achieve.  It must be a function or property that Power BI can recognize if use apiParameters to implement dynamic RLS. . .

Power BI Embedded: Convention-based dynamic Row-level Security

Working with Analysis Services live connections

Best Regards

Message 2 of 2
350 Views
0

Helpful resources

Announcements
Join our Fabric User Panel

Join our Fabric User Panel

This is your chance to engage directly with the engineering team behind Fabric and Power BI. Share your experiences and shape the future.

June 2025 Power BI Update Carousel

Power BI Monthly Update - June 2025

Check out the June 2025 Power BI update to learn about new features.

June 2025 community update carousel

Fabric Community Update - June 2025

Find out what's new and trending in the Fabric community.

View All