Windows AD user (Analysis Services)
When using Analysis Services and implementing a Row-Level Security (RLS) rule, it is common to face the challenge of having to map users individually in Power BI.
If you do not perform this mapping, you will see the following error message in Power BI when trying to access a report that is connected to Analysis Services (SSAS):
This process becomes even more complex when there are multiple cubes, requiring repetitive configuration for each cube, which can be both time-consuming and error-prone.
To access a report that uses Analysis Services in Power BI service, you must configure a user mapping, providing the Entra ID user ([email protected]) and the Windows Active Directory user (DOMAIN\user) for each user and in each cube they will access.
If you have 100 users and 20 cubes, you would need to create 2,000 mappings! And there is no Power BI API to automate this.
Power Embedded Always Innovating
To improve the experience of our users, Power Embedded is introducing significant improvements to simplify this configuration.
On the user creation/editing screen, you can enter the Windows Active Directory (AD) username for this user.
When accessing a report that uses an "AnalysisServices" type data source, Power Embedded will pass this Windows AD user, eliminating the need to manually configure the user mapping in Power BI service for each user/cube.
With this new feature, once the "Windows AD User" field is filled in, Power Embedded automatically applies this configuration to all accessible cubes for this user, significantly reducing the complexity and effort required to maintain data security.
Although Power BI does not have an API to automate this user mapping, Power Embedded has an API where you can automate user registration/updates and set the value of this field.
These improvements not only optimize security administration, but also reduce the workload associated with configuring and maintaining RLS in complex, large-scale environments, providing more efficient and less error-prone data management.
Note: This feature takes priority over the user pinning configuration by company in the Data Sources registration (Help – Data Sources). With this field filled in, the system will use this value in the user's AD mapping and ignores the user pinning configuration.
Adding Administrator Permission to the Gateway
For Power Embedded to implement row-level security (RLS) on cubes that use this Gateway, it is necessary to grant Administrator permission to the application user (PowerEmbedded-App) on the Gateway via Power BI Service.
Access the Manage connections and gateways screen and click on the Manage on-premises data gateways option.
Now click on the 3 ellipses (…) next to the gateway you want to grant permission to and select the Manage Users option.
On the user management screen, search for the name of the application you are using in Power Embedded (the default name is PowerEmbedded-App), check the Administrator permission, and click the Share button.
Now repeat this process for all gateways you need to manage and access data through Power Embedded, especially if you are using a connection to Analysis Services (SSAS).
IMPORTANT: It is not necessary to change the permissions on the data sources, since the Power Embedded user already has administrator permission on the Gateway.
This greatly reduces the effort of having to configure these permissions on each data source, since the number of data sources is much greater than the number of gateways.
Atualizado