Power BI RLS with App-Owns-Data Model & Embed Tokens

Deep Dive: Power BI RLS with App-Owns-Data Model & Embed Tokens

Deep Dive: Power BI RLS with App-Owns-Data Model & Embed Tokens

This guide provides a focused deep dive into two critical aspects of Power BI embedding: designing Row-Level Security (RLS) within the "App-Owns-Data" model and the process of generating RLS-restricted embed tokens. This is essential for delivering personalized and secure data experiences within your custom web applications.

📌 1. Designing for RLS with the App-Owns-Data Model

🧠 What is RLS (Row-Level Security)?

RLS (Row-Level Security) is a powerful feature in Power BI that filters the data a user can see based on their identity or role. Instead of giving everyone access to the full dataset, you can define rules to show only the relevant rows of data to each user, ensuring data governance and privacy.

🧠 What is App-Owns-Data Model?

In this model:

  • Your application controls the authentication (not the Power BI service directly).
  • Users of your application typically don’t need a Power BI account or license.
  • Your app embeds the report and generates a secure embed token on behalf of the user.
  • You can precisely control what data each user sees by applying RLS through the embed token.

✅ Designing for RLS in this model

To design RLS for the App-Owns-Data model, you define roles and filters within Power BI Desktop, and then your application's backend will tell Power BI which role to apply.

Step Description
1️⃣ Define Roles Inside Power BI Desktop, use Modeling > Manage Roles to create one or more roles (e.g., "EastRegionRole", "SalesRole").
2️⃣ Create DAX Filter For each role, create a DAX filter expression that determines which rows are visible. This filter will typically reference a column in your data model. For dynamic filtering based on the embed token's `username`, use USERNAME() or USERPRINCIPALNAME().
3️⃣ Publish Report Publish the report to a Power BI Workspace that is backed by a Power BI Premium or Embedded capacity.
4️⃣ Pass Identity & Role In your backend, when generating the embed token, you'll pass the user identity (via `username`) and the RLS role(s) to apply using the `EffectiveIdentity` object.
5️⃣ Power BI Applies Filter Power BI receives the embed token, applies the specified role-based filter to the dataset, and then renders the report to that user with only the authorized data.

👩‍💻 Example:

In Power BI Desktop:

  • Role: EastRegionRole
  • DAX Filter: [Region] = "East"

When embedding, your C# backend code would specify this role: 

var identity = new EffectiveIdentity("raushan@demo.com", new List<string> { datasetId })
{
    Roles = new List<string> { "EastRegionRole" }
};

This ensures only "East Region" data is shown for the user associated with "raushan@demo.com".

📌 2. Generating Embed Tokens Restricted by RLS Roles

🧠 Why Generate Embed Tokens?

Embed Tokens are short-lived, secure keys used by your application to securely display Power BI reports without exposing any Power BI credentials. Each token contains specific information about:

  • What report to load.
  • What dataset to use.
  • What access level is allowed (e.g., View, Edit, Create).
  • Crucially, what RLS role(s) to apply (if any).

✅ Steps to Generate RLS-Sensitive Embed Tokens

Step Description
1️⃣ Authenticate Backend Use your Azure AD App (Service Principal) to authenticate your backend application with Azure AD. This grants your app access to Power BI APIs.
2️⃣ Call Power BI REST API Use the Power BI .NET SDK (or directly call the REST API) to interact with the Power BI Service.
3️⃣ Create EffectiveIdentity Create an EffectiveIdentity object. This object tells Power BI "who" the user is (via `username`) and "which RLS role(s)" should apply to them. You also specify the `datasetId` this identity applies to.
4️⃣ Build Token Request Pass this `EffectiveIdentity` object within a `GenerateTokenRequestV2` (or similar) object. You also specify the report ID, dataset ID, and desired access level.
5️⃣ Get Token Call the Power BI API's `GenerateTokenAsync` (or `GenerateTokenInGroupAsync`) method to retrieve the embed token.

👨‍💻 Sample C# Code:

This snippet demonstrates how to construct the `EffectiveIdentity` and the token generation request in C# using the Power BI .NET SDK. 

// Assume 'datasetId', 'reportId', 'workspaceId' are Guids obtained from Power BI Service
// Assume 'pbiClient' is an authenticated PowerBIClient instance

var effectiveIdentity = new EffectiveIdentity("raushan@demo.com", new List<string> { datasetId.ToString() })
{
    Roles = new List<string> { "EastRegionRole" } // RLS role defined in Power BI Desktop
};

var tokenRequest = new GenerateTokenRequestV2
{
    Reports = new List<GenerateTokenRequestV2Report>
    {
        new GenerateTokenRequestV2Report { Id = Guid.Parse(reportId) }
    },
    Datasets = new List<GenerateTokenRequestV2Dataset>
    {
        new GenerateTokenRequestV2Dataset { Id = Guid.Parse(datasetId) }
    },
    Identities = new List<EffectiveIdentity> { effectiveIdentity },
    AccessLevel = "View"
};

var embedToken = await pbiClient.EmbedToken.GenerateTokenInGroupAsync(
    Guid.Parse(workspaceId),
    tokenRequest
);

⚠ Important Notes

  • The `username` provided in the `EffectiveIdentity` **does not need to be a real Power BI user account**. It's a string identifier that Power BI's `USERNAME()` or `USERPRINCIPALNAME()` DAX functions will return. This allows you to integrate with your own application's user management system.
  • Make sure the `role` names in the `EffectiveIdentity` (e.g., "SalesRole" or "EastRegionRole") **exactly match** those defined in your Power BI Desktop file (case-sensitive).
  • Embed tokens are typically valid for **1 hour**. Your application should handle token refreshing before expiration to provide a continuous experience.

🎯 Summary (TL;DR)

Concept Meaning
RLS Filters data per user using roles defined in Power BI Desktop.
App-Owns-Data Your application authenticates with Power BI, and end-users don’t need Power BI accounts.
EffectiveIdentity A crucial object in the embed token request that tells Power BI "who" the user is (`username`) and "which role" applies.
Embed Token Short-term secure token that controls what the user sees and which RLS filters are applied.

Raushan Ranjan

Microsoft Certified Trainer

.NET | Azure | Power Platform | WPF | Qt/QML Developer

Power BI Developer | Data Analyst

📞 +91 82858 62455
🌐 raushanranjan.azurewebsites.net
🔗 linkedin.com/in/raushanranjan

Comments

Post a Comment

Popular posts from this blog

Module 1 - Lesson 1: Getting Started with Power BI

Image
Unlocking Insights: Your Journey into Data Analysis with Power BI Lesson 1: Getting Started with Power BI Learn with Raushan Data Analysis with Power BI Hey data enthusiasts! Ever wondered how raw numbers transform into compelling stories and drive impactful decisions? Welcome to the world of data analysis, and your trusty companion on this journey is none other than Power BI! In this first lesson, we'll lay the groundwork, understanding why data analysis is crucial, the different flavors of analysis, the vital role of a Data Analyst, and how Power BI fits into their workflow. Why Data Analysis? Unearthing the 'Why' Behind the Numbers Imagine a vast ocean of data generated every second – from sales figures and website clicks to sensor readings and customer feedback. Without analysis, this data is like a treasure chest with...
Read more

Power BI Advanced learning

RR Education: Power BI Advanced Power BI Advanced Learning Learn with Raushan Welcome to the new series of blogs on Power BI Advanced! In this series, we'll delve into more powerful tools and techniques that will take your data analysis and reporting skills to the next level. Explore the Modules below to learn more about each area. Module 1: Begin with Power BI This module covers the fundamentals of using Power BI. You'll learn why data analysis is key, how Data Analysts use Power BI, and the essentials of connecting to diverse data sources via different methods (Import, DirectQuery, Live Connection). We'll also address common data import errors. Lesson 1       Lesson 2      ...
Read more

Module 1 - Lesson 3: Resolve Data Import Errors in Power BI

Image
Module 1 - Lesson 3: Navigating and Resolving Data Import Errors in Power BI Lesson 3: Resolve Data Import Errors Learn with Raushan Navigating and Resolving Data Import Errors in Power BI Welcome back! You've learned about connecting to various data sources in Power BI. However, the journey of data integration isn't always smooth. Sometimes, you might encounter errors during the data import process. Fear not! This lesson will equip you with the knowledge and techniques to identify and resolve common data import errors in Power BI. Web Authentication and Loading Tables: The Web Connection Hurdle Connecting to data from the web can sometimes present authentication challenges. Websites often require logins or specific authentication methods to access their data. Web Authentication Technical Definition: Web authentication is the process of verifying the i...
Read more

Module 1 - Lesson 2: Getting Data from Multiple Sources

Image
Module 1 - Lesson 2: Mastering Data Acquisition in Power BI Lesson 2: Getting Data from Multiple Sources Learn with Raushan Getting Data in Power BI Welcome back, aspiring data analysts! In our previous lesson, we explored the fundamentals of data analysis and the role of Power BI. Now, let's get our hands dirty with the crucial first step: bringing data into Power BI from various sources. Think of Power BI as your central hub, ready to ingest data from all corners of your business or domain. Understanding Data Sources: Where Does Our Information Live? Data can reside in a multitude of places. Understanding these sources is the first step towards connecting with them. Common data sources include: Databases: Structured collections of data organized for easy access and management (e.g., SQL Server, Oracle, MySQL)...
Read more

Programming with TypeScript and the D3.js Library for Power BI Developers

Module 08: Programming with TypeScript and the D3.js Library for Power BI Developers Programming with TypeScript and the D3.js Library Welcome to RR Education! This guide is designed to simplify the powerful combination of TypeScript and D3.js, especially for those embarking on a Power BI Developer course. We'll explore what these tools are, why they're crucial in the context of Power BI custom visual development, and how they empower you to create stunning, interactive data visualizations beyond Power BI's built-in capabilities. ✅ 1. TypeScript Language Understanding 🌱 Goal: Understand the basics of TypeScript — a statically typed superset of JavaScript that compiles to plain JavaScript. 🔹 Step-by-Step: Setup: Install Node.js (which includes npm, the Node Package Manager). Open your terminal or com...
Read more