Embedded Power BI: Add Multiple Users in Row Level Security and assign different roles

Question

I have downloaded App Owns Data from github - https://github.com/Microsoft/PowerBI-Developer-Samples. I have added Row Level Security by adding the following line:

generateTokenRequestParameters =  new GenerateTokenRequest("View", null, 
       identities: new List<EffectiveIdentity>{new EffectiveIdentity(username: "username", roles: new List<string> { "Role A"}, datasets: new List<string> { report.DatasetId })});

Currently, I can add only one username at a time. Is there any way using which I can multiple users and assign different roles to them? Any help is appreciated!

Answer 1

A little late but... if you have multiple usernames assigned to a role, pass the usernames as a string path to RLS, parse it into a table, then return the row when it matches with a value in the column. It feels like a re-invention of the for loop...

We do this if we are not actually passing usernames, but for cases like multiple sales offices, or making a view that compares data from multiple user accounts, or when a user belongs to different hierarchies in an organization, or basically any time you want to use multiple filters..

example input using sales ids

//Username() = "020104010|020104061|020104303|020104304"

//DAX
var userIds = Username()
VAR tbl=
    GENERATE (
        GENERATESERIES(1,PATHLENGTH(UserIds),1),
        ROW ( "Key", PATHITEM ( userIds, [value]))
    )

VAR valueList =
    SELECTCOLUMNS ( tbl, "Key", [Key] )

return  [sales_id_column] in valueList

There is also a case when the table has a many to many relationship and cannot use multiple roles as identity. In that case the username looks like this:

Username() = "SalesHead:020104010|SalesLead:020104061|SalesUser:020104303"

and the code will have an extra step to parse the inner path after you change the ":" to a "|". This approach supports a claims-based authorization.

Answer 2

You need to add row level security by adding roles in power bi desktop -

1. Modeling => Manage Roles
2. Create
3. Give your role a name e.g Role A
4. Select a table under Tables to filter on
5. in the Table filter DAX expression add [column_name_here] = USERNAME()
6. The username that you pass into your GenerateTokenRequest will be passed to USERNAME()

Adding multiple usernames to the GenerateTokenRequest would be counter intuitive as it is designed to generate a token for a single user viewing the embedded report.

If you have different usernames in different tables for the same user then you could create a look up table where usernameA maps to username1 on table1, username2 on table 2 etc.

If you can provide more details on your use case I'd be happy to try and help

Answer 3

In a single GenerateTokenRequest you need to pass an equal number of EffectiveIdentitys as the number of passed datasets. This means that for embedding a dashboard (may contain tiles with different datasets) you will be able to pass multiple EffectiveIdentity with different usernames. But for report embed (has a single dataset) you can only pass one username.