Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Power BI is turning 10! Let’s celebrate together with dataviz contests, interactive sessions, and giveaways. Register now.

Reply
dpiret
Helper I
Helper I

PBI Service ignores the dataset’s credentials to the data source.

‎08-21-2021 10:48 AM

Scenario: On-premises SQL Server, with Gateway, having implemented RLS and two users: masterUser (access to all) and userOne (access to a limited set of rows).

 

In PBI Desktop, I created the following Direct Query datasets,

- datasetMaster using masterUser credentials.

- datasetUserOne using userOne’s credentials.

 

From PBI Desktop, both work fine: reports based on datasetMaster retrieve all rows; the ones based on datasetUserOne retrieve only the filtered rows.

 

  • Uploaded datasetMaster to Power BI service: works well, all rows retrieved.
  • Uploaded datasetUserOne to Power BI service: WRONG retrieves all rows as masterUser, presumably using the same credentials.

 

*How can I force each dataset to use its credentials*? This already seemed to be a problem back in 2018 [Problem with two dataset of same database but different user access](https://community.powerbi.com/t5/Service/Problem-with-two-dataset-of-same-database-but-different-use...)

 

The final scenario in case it matters: I need a Power BI single-tenant embedded workspace-based isolation (to allow SaaS users to create their reports) with direct query  (near real-time updates), each workspace accessing only its tenant’s data (RLS on the data source)

 

Thanks for helping!

Labels:
Message 1 of 9
2,348 Views
0
1 ACCEPTED SOLUTION
Greg_Deckler
Super User
Super User
In response to dpiret

‎08-22-2021 09:45 AM

@dpiret Actually, I think you want this:

Multiple data source definitions on the On-premises data gateway for the same data source | Microsof...



Follow on LinkedIn
@ me in replies or I'll lose your thread!!!
Instead of a Kudo, please vote for this idea
Become an expert!: Enterprise DNA
External Tools: MSHGQM
YouTube Channel!: Microsoft Hates Greg
Latest book!: Power BI Cookbook Third Edition (Color)

DAX is easy, CALCULATE makes DAX hard...

View solution in original post

Message 8 of 9
2,097 Views
0
8 REPLIES 8
dpiret
Helper I
Helper I

‎08-22-2021 08:58 AM

Gotcha, @Greg_Deckler 

Acutally the test was simple: I changed the user in the PBI Service>Gateway>Datasources to UserOne. Now, all reports are filtered, no matter whether the dataset had credentials for Master.

So, it is not a cache issue, but a matter of the Gateway's data source requiring its own authentication, ignoring the dataSet's, for PBI Service only.

I suspect this article Easier set up of datasets in Power BI | Microsoft Power BI Blog | Microsoft Power BI by @kayu  has a key to it, but I struggle to find a stright answer.

 

thanks!

d

 

Message 7 of 9
2,120 Views
0
Greg_Deckler
Super User
Super User
In response to dpiret

‎08-22-2021 09:45 AM

@dpiret Actually, I think you want this:

Multiple data source definitions on the On-premises data gateway for the same data source | Microsof...



Follow on LinkedIn
@ me in replies or I'll lose your thread!!!
Instead of a Kudo, please vote for this idea
Become an expert!: Enterprise DNA
External Tools: MSHGQM
YouTube Channel!: Microsoft Hates Greg
Latest book!: Power BI Cookbook Third Edition (Color)

DAX is easy, CALCULATE makes DAX hard...
Message 8 of 9
2,098 Views
0
dpiret
Helper I
Helper I
In response to Greg_Deckler

‎08-23-2021 01:12 AM

Thanks, @Greg_Deckler that worked like a charm!

 

I can create data sources programmatically too.

 

For the sake of completeness, the alternative I found was using query parameters based on Change the Source of Power BI Datasets Dynamically Using Power Query Parameters and How do I pass parameters to my SQL statement?

 

Message 9 of 9
2,054 Views
Greg_Deckler
Super User
Super User

‎08-21-2021 11:44 AM

@dpiret I thought you said that masterUser should have access to all rows but then you say this is incorrect? Make sure that both users are not Members or Owners of the workspace. RLS does not apply in that situation.



Follow on LinkedIn
@ me in replies or I'll lose your thread!!!
Instead of a Kudo, please vote for this idea
Become an expert!: Enterprise DNA
External Tools: MSHGQM
YouTube Channel!: Microsoft Hates Greg
Latest book!: Power BI Cookbook Third Edition (Color)

DAX is easy, CALCULATE makes DAX hard...
Message 2 of 9
2,297 Views
0
dpiret
Helper I
Helper I
In response to Greg_Deckler

‎08-22-2021 02:51 AM

Hi @Greg_Deckler , thanks for replying!

Let me clarify these points:

  • RLS is applied at database level, not Power BI
  • Both users (Master and UserOne) are SQL Server users, no email, no relation with PowerBI's or AAD users whatsoever.
  • My goal is creating a dataset per workspace that will pull the data from SQL Server (Direct Query) already filtered for each workspace/ DB user. So, tenantOne, will have its SQL Server user, PBI workspace and PBI dataSet. 

The problem

SQL Server user MasterUser works fine in all situations: it retrieves all rows when connecting directly to SQL Server (no Power BI), when I create a dataset with Power BI Desktop and when I upload that dataset to Power BI service.

 

In the other hand, UserOne works fine in only two situations: it retrieves filtered rows directly on SQL Server, and when I create a dataset in PowerBI Desktop (although I had to clear all credentials from PBI Desktop first, otherwise the previous credentials are cached.)

But, when I upload this dataset to PBI Service (with UserOne's credentials), the data retrieved are not filtered, it retrieves all rows,

 

My assumption is that either Power BI Service or the Gateway are caching the first credentials, but I have no way to tell.

 

In case it can help, here's some more information:

- I'm using service principal

- In PBI Service, dataset Settings, Data Source Credentials, I've got "admin has granted access, credentials are not required". This sounds like the problem, but I'm unable to figure out how to work around it.

dpiret_0-1629625021108.png

- The Gateway's Data Source section requires authentication, and is configured using MasterUser's credntial. Maybe the dataset is using these credentials instead of the ones provided in the dataset's configuration?

 

dpiret_2-1629629121653.png

 

  

I understand this architecture should work (SQL Server RLS/SQL Server user/dataset using specific credentials), especially because it is frequently mentioned in MS docs. Example:

Question: My data source already has security roles defined (for example SQL Server roles or SAP BW roles). What is the relationship between these and RLS?

Answer: The answer depends on whether you're importing data or using DirectQuery. If you're importing data into your Power BI dataset, the security roles in your data source aren't used. In this case, you should define RLS to enforce security rules for users who connect in Power BI. If you're using DirectQuery, the security roles in your data source are used. When a user opens a report Power BI sends a query to the underlying data source, which applies security rules to the data based on the user's credentials

 

 Thanks for helping!

 

Message 3 of 9
2,230 Views
0
Greg_Deckler
Super User
Super User
In response to dpiret

‎08-22-2021 07:39 AM

@dpiret I believe you are correct in your analysis. Just like how you had to clear the credentials in Desktop to apply the new credentials, the data source is only defined a single time in your Gateway. The easiest way to fix this is to connect to your database using an alternate DNS name. Then this will become a second instance of the data source and you can use the other credentials for it.



Follow on LinkedIn
@ me in replies or I'll lose your thread!!!
Instead of a Kudo, please vote for this idea
Become an expert!: Enterprise DNA
External Tools: MSHGQM
YouTube Channel!: Microsoft Hates Greg
Latest book!: Power BI Cookbook Third Edition (Color)

DAX is easy, CALCULATE makes DAX hard...
Message 4 of 9
2,206 Views
0
dpiret
Helper I
Helper I
In response to Greg_Deckler

‎08-22-2021 08:30 AM

Thanks @Greg_Deckler 

I don't think adding a DNS name per tenant/workspace/dataset will be possible. There are hundreds of them, and should be created along with the customer's SaaS tenant (since it will be used in and embedded "for yourcustomers/App owns data" application.

 

I'll keep digging, in case there's any other solution 🙂

Thanks!

 

Thanks!

 

Message 5 of 9
2,191 Views
0
Greg_Deckler
Super User
Super User
In response to dpiret

‎08-22-2021 08:32 AM

@dpiret I guess my point was to try it and see if it fixed it first. Just to confirm it is in fact the problem you think it is. Because if that isn't the problem then it is something else that we would need to fix. There are other fixes like having multiple gateway clusters, etc and probably a few more that I could come up with but would need to know if it is actually the problem.



Follow on LinkedIn
@ me in replies or I'll lose your thread!!!
Instead of a Kudo, please vote for this idea
Become an expert!: Enterprise DNA
External Tools: MSHGQM
YouTube Channel!: Microsoft Hates Greg
Latest book!: Power BI Cookbook Third Edition (Color)

DAX is easy, CALCULATE makes DAX hard...
Message 6 of 9
2,180 Views
0

Helpful resources

Announcements
Join our Fabric User Panel

Join our Fabric User Panel

This is your chance to engage directly with the engineering team behind Fabric and Power BI. Share your experiences and shape the future.

June 2025 Power BI Update Carousel

Power BI Monthly Update - June 2025

Check out the June 2025 Power BI update to learn about new features.

June 2025 community update carousel

Fabric Community Update - June 2025

Find out what's new and trending in the Fabric community.

View All