Starting December 3, join live sessions with database experts and the Microsoft product team to learn just how easy it is to get started
Learn moreShape the future of the Fabric Community! Your insights matter. That’s why we created a quick survey to learn about your experience finding answers to technical questions. Take survey.
I have an on-premise data gateway connecting to an on-premise SSAS 2019. I've been able to get it to work, but only by adding the account used to connect to the SSAS (ie. the credentials setup in the data source on the gateway) to the Local Administrators group on the SSAS server. I'd prefer it if this wasn't necessary and I had a setup with more mininal permissions.
The setup is as follows:
When attempting to refresh a PowerBI dataset configured to connect to the SSAS through the on-premise data gateway, I get following error:
the AnalysisServices: XML for Analysis parser: The 'ST@Ranger.com' value of the 'EffectiveUserName' XML for Analysis property is not valid.
When I add the GatewayReader account into the Local Administrators group of the SSAS server, then it works. What permissions / privilages should I give the GatewayReader account so that it no longer has to be a Local Admin?
Thanks in advance
Solved! Go to Solution.
Misunderstanding on my part. The acccount the SSAS service is running under needs to belong to Windows Authorization Access group in Active Directory, not the GatewayReader in my example above.
Strangely this group assignment isn't required when the client is on the internal network / domain, but is required in the cross domain scenario of having the client being the PowerBI cloud service connecting to the on-premise gateway. There's proably something else at play here that I don't understand.
Misunderstanding on my part. The acccount the SSAS service is running under needs to belong to Windows Authorization Access group in Active Directory, not the GatewayReader in my example above.
Strangely this group assignment isn't required when the client is on the internal network / domain, but is required in the cross domain scenario of having the client being the PowerBI cloud service connecting to the on-premise gateway. There's proably something else at play here that I don't understand.
That's exactly our problem too. Nobody can tell me if the Discover permission can be given to a non-admin role. Do you have any advice on that?
Speaking from a position of ignorance (I'm woefully lack experience in the SSAS and PowerBI space), I don't see the SSAS Admin role as big a problem / security risk as I thought it was going to be because of the EffectiveUserName property.
We currently has a SSAS multi-dimensional model and have setup a data source on the on-premise gateway for it. Any report author who attempts to refresh their data set using the gateway will find that the refresh is completed using the Admin creds impersonating the owner of the data set, via the EffectiveUserName property. They will not be able to populate the data set with any data / measure that the owner of the data set does not have permissions for.
I would prefer to not the give the account SSAS Admin role, but I don't see a way around that. As the account is performing impersonation (within the scope of SSAS), the account is always going to be privileged within SSAS. Until Microsoft provides an actual SSO credential type connection for SSAS, as they have done for SQL Server, I don't see a viable alternative.
But it should be possible for the gateway to leverage EffectiveUserName property without us having to grant Local Admin on the server.
The account needs Read and Discover privileges.
The account is an Administrator for the SSAS service and so will have Discover and Read permissions through that. The permissions that I'm hoping to "trim" is the account being a Local Administrator of the actual server. A member of the Windows Local Administrators group
User | Count |
---|---|
36 | |
31 | |
20 | |
11 | |
8 |
User | Count |
---|---|
52 | |
43 | |
28 | |
12 | |
11 |