Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Be one of the first to start using Fabric Databases. View on-demand sessions with database experts and the Microsoft product team to learn just how easy it is to get started. Watch now

Reply
bw_chec
Frequent Visitor

Best Way to Share Power BI Reports

‎09-02-2024 07:05 AM

Hi,

 

I have a production workspace in Fabric with a production Lakehouse.

 

I do not want to give users access to the whole lakehouse, but use the manage onelake data access to create groups to see different tables. 

If I create a report on a semantic model using DirectLake, and give a user access to both, the users get a 'couldn't load the data for this visual' error. This can be fixed by giving them full access to the whole lakehouse.

 

Can someone explain the best method of using a service principal to own a lakehouse/semantic model data so that I can ensure more granular access? 

 

Message 1 of 7
451 Views
0
1 ACCEPTED SOLUTION
suparnababu8
Solution Sage
Solution Sage

‎09-04-2024 10:01 PM

Hi @bw_chec 

To manage granular access to your Lakehouse and semantic model in Fabric while using DirectLake, you can leverage a service principal. Here’s a step-by-step guide to help you set this up:

1. Create a Service Principal:

  1. Azure Active Directory:

    • Go to the Azure portal and navigate to Azure Active Directory.
    • Create a new app registration for your service principal.
    • Note down the Application (client) ID and Directory (tenant) ID.

  2. Certificates & Secrets:

    • Generate a client secret for the service principal and note it down.

2. Assign Roles to the Service Principal:

  1. Azure Storage Account:

    • Navigate to your Azure Storage Account.
    • Assign the service principal to the appropriate roles (e.g., Storage Blob Data Contributor) to ensure it has the necessary permissions to access the Lakehouse data.

  2. Power BI Service:

    • In the Power BI service, navigate to the workspace containing your Lakehouse.
    • Add the service principal as a member or admin of the workspace.

3. Configure Data Access in Fabric:

  1. Manage OneLake Data Access:
    • Use the “Manage OneLake Data Access” feature to create groups and assign permissions to specific tables.
    • Ensure that the service principal has the necessary permissions to access the required tables.

4. Set Up the Semantic Model:

  1. Create a Semantic Model:

    • Create a semantic model in Power BI using DirectLake.
    • Ensure that the service principal has access to the semantic model.

  2. Configure Row-Level Security (RLS):

    • Implement RLS in your semantic model to control access to specific data based on user roles.
    • Assign the service principal to the appropriate roles to enforce granular access.

5. Use the Service Principal in Reports:

  1. Connect to the Semantic Model:
    • When creating reports, connect to the semantic model using the service principal credentials.
    • Ensure that users accessing the reports have the necessary permissions to view the data.

Best Practices:

  • Test Access: Before deploying to production, test the access permissions to ensure users can only see the data they are authorized to view.
  • Monitor and Audit: Regularly monitor and audit access to ensure compliance with your data governance policies.
  • Documentation: Document the setup and access controls to maintain clarity and ease of management.

By following these steps, you can ensure more granular access control to your Lakehouse and semantic model, while avoiding the need to give users full access to the entire Lakehouse

 

https://www.youtube.com/watch?v=IKhKjtoPjG8

https://radacad.com/power-bi-default-semantic-model-or-custom-a-guide-for-using-in-fabric-environmen...

View solution in original post

Message 7 of 7
318 Views
0
6 REPLIES 6
suparnababu8
Solution Sage
Solution Sage

‎09-04-2024 10:01 PM

Hi @bw_chec 

To manage granular access to your Lakehouse and semantic model in Fabric while using DirectLake, you can leverage a service principal. Here’s a step-by-step guide to help you set this up:

1. Create a Service Principal:

  1. Azure Active Directory:

    • Go to the Azure portal and navigate to Azure Active Directory.
    • Create a new app registration for your service principal.
    • Note down the Application (client) ID and Directory (tenant) ID.

  2. Certificates & Secrets:

    • Generate a client secret for the service principal and note it down.

2. Assign Roles to the Service Principal:

  1. Azure Storage Account:

    • Navigate to your Azure Storage Account.
    • Assign the service principal to the appropriate roles (e.g., Storage Blob Data Contributor) to ensure it has the necessary permissions to access the Lakehouse data.

  2. Power BI Service:

    • In the Power BI service, navigate to the workspace containing your Lakehouse.
    • Add the service principal as a member or admin of the workspace.

3. Configure Data Access in Fabric:

  1. Manage OneLake Data Access:
    • Use the “Manage OneLake Data Access” feature to create groups and assign permissions to specific tables.
    • Ensure that the service principal has the necessary permissions to access the required tables.

4. Set Up the Semantic Model:

  1. Create a Semantic Model:

    • Create a semantic model in Power BI using DirectLake.
    • Ensure that the service principal has access to the semantic model.

  2. Configure Row-Level Security (RLS):

    • Implement RLS in your semantic model to control access to specific data based on user roles.
    • Assign the service principal to the appropriate roles to enforce granular access.

5. Use the Service Principal in Reports:

  1. Connect to the Semantic Model:
    • When creating reports, connect to the semantic model using the service principal credentials.
    • Ensure that users accessing the reports have the necessary permissions to view the data.

Best Practices:

  • Test Access: Before deploying to production, test the access permissions to ensure users can only see the data they are authorized to view.
  • Monitor and Audit: Regularly monitor and audit access to ensure compliance with your data governance policies.
  • Documentation: Document the setup and access controls to maintain clarity and ease of management.

By following these steps, you can ensure more granular access control to your Lakehouse and semantic model, while avoiding the need to give users full access to the entire Lakehouse

 

https://www.youtube.com/watch?v=IKhKjtoPjG8

https://radacad.com/power-bi-default-semantic-model-or-custom-a-guide-for-using-in-fabric-environmen...

Message 7 of 7
319 Views
0
lbendlin
Super User
Super User

‎09-02-2024 07:55 AM 
I have a production workspace

Is that based on a F64 or better capacity SKU?

Message 2 of 7
430 Views
0
bw_chec
Frequent Visitor
In response to lbendlin

‎09-02-2024 11:55 PM

@lbendlin F64

Message 3 of 7
385 Views
0
lbendlin
Super User
Super User
In response to bw_chec

‎09-03-2024 04:06 AM

Give your users build access via the app.

Message 4 of 7
378 Views
0
bw_chec
Frequent Visitor
In response to lbendlin

‎09-03-2024 04:11 AM

I gave users access to the app, but they got a 'couldn't load the data for this visual' error. They were viewers of the workspace, the app and the semantic model.

 

Giving table access using a group in 'manage onelake access' didn't work either.

The only fix was to give them access as a viewer to the whole lakehouse, but this is not ideal. 

bw_chrc_0-1725361655496.png

 

I am going to create a workspace per department, with shortcuts to my central gold lakehouse of only the tables that the department's default semantic model needs. I will build an app off this. 

 

Is there something that needs to happen here in the semantic model gateway? Do i need to create a service principal connection for every semantic model I build? 

bw_chrc_1-1725361856354.png

 

Message 5 of 7
377 Views
0
lbendlin
Super User
Super User
In response to bw_chec

‎09-04-2024 05:13 PM 
They were viewers of the workspace, the app and the semantic model.

Don't do that. Anyone who is not a developer or UAT tester should not get access to the workspace. Only share via the app.

 

Is there something that needs to happen here in the semantic model gateway? Do i need to create a service principal connection for every semantic model I build?

No and no.  But check your company's firewall rules.

Message 6 of 7
332 Views
0

Helpful resources

Announcements
Las Vegas 2025

Join us at the Microsoft Fabric Community Conference

March 31 - April 2, 2025, in Las Vegas, Nevada. Use code MSCUST for a $150 discount!

ArunFabCon

Microsoft Fabric Community Conference 2025

Arun Ulag shares exciting details about the Microsoft Fabric Conference 2025, which will be held in Las Vegas, NV.

December 2024

A Year in Review - December 2024

Find out what content was popular in the Fabric community during 2024.

View All