Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Be one of the first to start using Fabric Databases. View on-demand sessions with database experts and the Microsoft product team to learn just how easy it is to get started. Watch now

Reply
AymericO
Regular Visitor

Make users access Reports through an Apps without giving them access to the workspace

‎12-02-2024 02:32 AM

Greetings,

Error description : People that doesn't have access to my Workspace but has been added to the Audience of the App can access the App but there is an Error fetching data for the visual.

 

Here are some details on the issue I am facing:

  • I have a Workspace with an App.
  • The Workspace contains all the element that I need (Dataflow Gen2 that put data in my DataLake, they are then interpreted by my Semantic Model and then shown in my Report).
  • The Report works and is successfully published in my App.
  • People that has access to the Workspace can see the Reports and the related data in the App, but people that doesn't have access to the Workspace but has been added to the Audience of the App can access the App but there is an Error fetching data for the visual.
  • When I look at the Permissions in the Semantic Model, I can see people that has access with the Audience having a "App" permissions.
  • I checked the box "Install this app automatically" in the App
  • EDIT:  My Workspace has a Fabric Capacity lower than F64, all my users got a Power Bi Pro License.

What can I do ?

Best Regards

 

Labels:
Message 1 of 10
413 Views
0
1 ACCEPTED SOLUTION
v-jingzhan-msft
Community Support
Community Support
In response to AymericO

‎12-03-2024 10:20 PM

Hi  @AymericO 

 

Thank you for this information. Does the user receive the following error?  vjingzhanmsft_0-1733288897473.png

When your report is based on a Direct Lake semantic model, you need to perform some additional settings to ensure that report users can view the relevant data in the report. Besides the App permission on the semantic model you observed, report users also need to access the source Fabric item. 

 

For a Direct Lake semantic model, there are two account options to access the source Fabric item. The account used to access data is one of the following.

  • If the cloud connection uses SSO (default), it is the report consumer.
  • If the cloud connection uses a fixed identity, it is the fixed identity.

 

The account must at least have Read and ReadData permissions on the source item (lakehouse or warehouse). Item permissions can be inherited from workspace roles or assigned explicitly for the item as described in this article.

 

As the default option is using SSO, the report in the App uses the report users' accounts to access the source Lakehouse SQL Endpoint. This leads to the error for users that don't have access to the Workspace. To resolve this, you can go to Manage permissions of the related lakehouse to share the permission with the users. 

 

I'm testing a new semantic model, so I have to choose "Read all SQL endpoint data". For a default semantic model, it seems you don't need to select additional permissions according to the annotation. I haven't tested it yet, to be honest. 

vjingzhanmsft_0-1733292045019.png

After sharing the lakehouse with the users, you will see these users have Read permission on the lakehouse. Go to Manage permissions of the related SQL endpoint of the lakehouse, you will see they haveRead and ReadData permissions. Now the users should be able to see data in the visuals. 

 

However this sharing will allow users to access the source Fabric items directly. If you don't like this and want the users to only access the semantic model, please use a fixed identity instead of SSO. 

 

For more details and guidance, please read the following articles:

Develop Direct Lake semantic models - Microsoft Fabric | Microsoft Learn

Manage Direct Lake semantic models - Microsoft Fabric | Microsoft Learn

Learn how to specify a fixed identity for a Direct Lake semantic model in Power BI and Microsoft Fab...

 

Best Regards,
Jing
If this post helps, please Accept it as Solution to help other members find it. Appreciate your Kudos!

View solution in original post

Message 7 of 10
231 Views
0
9 REPLIES 9
v-jingzhan-msft
Community Support
Community Support

‎12-02-2024 06:58 PM

Hi @AymericO 

 

For app consumers, there are two options of license requirements. Reference: Publish an app in Power BI - Power BI | Microsoft Learn

  • If the workspace for this app is not in a Power BI Premium capacity: All business users need Power BI Pro or Premium Per User (PPU) licenses to view your app.

  • If the workspace for this app is in a Power BI Premium capacity/F64 or higher Fabric capacity: Business users without Power BI Pro or Premium Per User (PPU) licenses in your organization can view app content. However, they can't copy the reports, or create reports based on the underlying semantic models. Read these articles for details:

 

Can you check whether the people that doesn't have access to the Workspace but has been added to the Audience of the App has Power BI Pro or PPU license? Or is the workspace in a F64 or higher Fabric capacity? 

 

Best Regards,
Jing
Community Support Team

Message 4 of 10
311 Views
0
AymericO
Regular Visitor
In response to v-jingzhan-msft

‎12-02-2024 10:18 PM

Hello @v-jingzhan-msft 

Thank for your response,

The Workspace has a Fabric capacity lower that F64, all the user got a Power BI Pro license.

 

Best Regards,

Aymeric

Message 5 of 10
292 Views
0
v-jingzhan-msft
Community Support
Community Support
In response to AymericO

‎12-03-2024 10:20 PM

Hi  @AymericO 

 

Thank you for this information. Does the user receive the following error?  vjingzhanmsft_0-1733288897473.png

When your report is based on a Direct Lake semantic model, you need to perform some additional settings to ensure that report users can view the relevant data in the report. Besides the App permission on the semantic model you observed, report users also need to access the source Fabric item. 

 

For a Direct Lake semantic model, there are two account options to access the source Fabric item. The account used to access data is one of the following.

  • If the cloud connection uses SSO (default), it is the report consumer.
  • If the cloud connection uses a fixed identity, it is the fixed identity.

 

The account must at least have Read and ReadData permissions on the source item (lakehouse or warehouse). Item permissions can be inherited from workspace roles or assigned explicitly for the item as described in this article.

 

As the default option is using SSO, the report in the App uses the report users' accounts to access the source Lakehouse SQL Endpoint. This leads to the error for users that don't have access to the Workspace. To resolve this, you can go to Manage permissions of the related lakehouse to share the permission with the users. 

 

I'm testing a new semantic model, so I have to choose "Read all SQL endpoint data". For a default semantic model, it seems you don't need to select additional permissions according to the annotation. I haven't tested it yet, to be honest. 

vjingzhanmsft_0-1733292045019.png

After sharing the lakehouse with the users, you will see these users have Read permission on the lakehouse. Go to Manage permissions of the related SQL endpoint of the lakehouse, you will see they haveRead and ReadData permissions. Now the users should be able to see data in the visuals. 

 

However this sharing will allow users to access the source Fabric items directly. If you don't like this and want the users to only access the semantic model, please use a fixed identity instead of SSO. 

 

For more details and guidance, please read the following articles:

Develop Direct Lake semantic models - Microsoft Fabric | Microsoft Learn

Manage Direct Lake semantic models - Microsoft Fabric | Microsoft Learn

Learn how to specify a fixed identity for a Direct Lake semantic model in Power BI and Microsoft Fab...

 

Best Regards,
Jing
If this post helps, please Accept it as Solution to help other members find it. Appreciate your Kudos!

Message 7 of 10
232 Views
0
AymericO
Regular Visitor
In response to v-jingzhan-msft

‎12-05-2024 12:18 AM

Hello,

I works ! I resolve the issue.
But, one more question, by doing this you allow your user to have access to all data, However, I only want my users to have access to the data I want to show them, with a specific filter. Is there another solution? A workaround would be to have two data sources, one with the raw data, then a second with the pre-filtered data, and the report would only have access to the second source... What do you think?

Message 8 of 10
177 Views
0
v-jingzhan-msft
Community Support
Community Support
In response to AymericO

‎12-05-2024 12:45 AM

Hi @AymericO 

 

In that case, using a fixed identity is more recommended. Go to the semantic model's settings page to modify the authentication type. Follow steps in Learn how to specify a fixed identity for a Direct Lake semantic model in Power BI and Microsoft Fab...

vjingzhanmsft_0-1733387987409.png

 

Best Regards,
Jing

Message 10 of 10
163 Views
0
DemoFour
Responsive Resident
Responsive Resident
In response to AymericO

‎12-05-2024 12:23 AM

Morning @AymericO 

Have a look at this learn article Row-level security (RLS) with Power BI - Microsoft Fabric | Microsoft Learn

That should help you in your output. 

Message 9 of 10
173 Views
0
DemoFour
Responsive Resident
Responsive Resident
In response to AymericO

‎12-03-2024 01:05 AM

@AymericO Are you the tenant Admin?  Are you publishing into a premium workspace that has been set up to distribute to the organisation? 

Message 6 of 10
275 Views
0
DemoFour
Responsive Resident
Responsive Resident

‎12-02-2024 03:36 AM

@AymericO What licencing SKU are you running your tenant on? 

Message 2 of 10
382 Views
0
AymericO
Regular Visitor
In response to DemoFour

‎12-02-2024 04:05 AM

@DemoFour  The Current license on the workspace is: Fabric capacity

Message 3 of 10
375 Views
0

Helpful resources

Announcements
Las Vegas 2025

Join us at the Microsoft Fabric Community Conference

March 31 - April 2, 2025, in Las Vegas, Nevada. Use code MSCUST for a $150 discount!

Dec Fabric Community Survey

We want your feedback!

Your insights matter. That’s why we created a quick survey to learn about your experience finding answers to technical questions.

ArunFabCon

Microsoft Fabric Community Conference 2025

Arun Ulag shares exciting details about the Microsoft Fabric Conference 2025, which will be held in Las Vegas, NV.

December 2024

A Year in Review - December 2024

Find out what content was popular in the Fabric community during 2024.

View All