Let me start by thanking Adam Saxton aka Guy in a Cube and Hope Foley for helping me with this post.
Power BI has made sharing dashboards and reports inside and outside of an organization relatively simple. All you really need is an email address. Now, whether or not the person will be able to successfully view the shared dashboard depends on the data source. To complicate things further, what if you want to secure what data that person can or cannot see using Row-level Security (RLS).
Let’s assume that someone has built a dashboard that is directly connected to SQL Server Analysis Services (SSAS). That person shares the dashboard with someone outside of their organization. When the person outside the organization attempts to open the report he/she should only see data for a particular School District, Sales Region, Department, etc… To illustrate this, let me paint a picture using the following image:
- pleblanc@contoso.com creates a reports.
- pleblanc@contoso.com publishes the reports to PowerBI.com.
- The report has a live connection to a SQL Server Analysis Services (SSAS) Semantic Model.
- pleblanc@contoso.com shares a dashboard with jdoe@adventureworks.com.
- jdoe@adventureworks.com attempts to open the dashboard and nothing.
Before I explain how to fix this, let’s take a look at what’s happening behind the scenes.
- When jdoe@adventureworks.com opens the dashboard a connection string is created including the effectiveusername property, which is expected behavior.
- The value specified for this property is jdoe@adventureworks.com.
- The connections string including the queries are sent via the On-Premises gateway to the SSAS server that hosts the data needed to view the report.
- Once the connection is established, using the username and password specified in the Data Source settings, all queries are executed using jdoe@adventureworks.com.
This is where the problem occurs. Because this person is external to contoso.com, it is highly unlikely that he/she will have any permissions to access the SSAS Server. As a result, the queries are not executed.
How do you solve this problem? With a feature called Map user names. Start by signing into PowerBI.com and navigate to Manage Gateways.
On the Gateways page, expand your gateway and click on the data source for the shared dashboard. In the properties window for the selected data source click Users.
Towards the bottom of the page click on the button labeled Map user names.
Click that button and the Map user names window will open on the right side of the screen.
Ensure that the Effective user names radio button is selected. Enter the shared/external users email address in the column labeled Replace and enter and account that has appropriate permissions to your Semantic model in the column labeled With. Click the button labeled ADD. By doing this, jdoe@adventureworks.com will be replaced with the user you specified, allowing the reports to work. Not only does the report open successfully for jdoe@adventureworks.com, but it will only display data for the internal user based on the RLS configuration in your Semantic model.
Please note that the user you specified in the With column must be included in a role on the Semantic model that has been configured for RLS if that is a requirement.
This approach has assisted me in solving a very common issue faced by my customers. For example, I work with County and Department of Education groups that would like to share SSAS sourced Power BI dashboards and reports with Districts and Schools. The challenge is as stated above. When someone from the school or district attempts to access the content and error is returned. Using the approach in this blog easily solves the problem. The external users are mapped to internal users that are part of a role that has been secured to see only specific data. When a person opens a report, data for a specific district is the only data that is available. Problem solved!
Talk to you soon,
Patrick LeBlanc
Data Platform Solution Architect, Microsoft