Power BI Embedded 的行级安全性Row-level security with Power BI Embedded

行级别安全性 (RLS) 可用于限制用户访问仪表板、磁贴、报表和数据集中的数据。Row-level security (RLS) can be used to restrict user access to data within dashboards, tiles, reports, and datasets. 这样一来,各个用户虽然处理的是相同项目,但看到的数据却不同。Different users can work with those same artifacts all while seeing different data. 嵌入支持 RLS。Embedding supports RLS.

如果要为非 Power BI 用户(应用拥有数据)嵌入(通常是 ISV 方案),那本文很适合你!If you're embedding for non-Power BI users (app owns data), which is typically an ISV scenario, then this article is for you! 请配置嵌入令牌,以将用户和角色考虑在内。Configure the embed token to account for the user and role.

若要嵌入给组织内的 Power BI 用户(用户拥有数据),RLS 的工作方式与其直接在 Power BI 服务中的工作方式相同。If you're embedding to Power BI users (user owns data), within your organization, RLS works the same as it does within the Power BI service directly. 你无需在应用程序中执行其他任何操作。There's nothing more you need to do in your application. 有关详细信息,请参阅 Power BI 行级别安全性 (RLS)For more information, see Row-Level security (RLS) with Power BI.

涉及行级别安全性的项。

要利用 RLS,务必要了解三个主要概念:用户、角色和规则。To take advantage of RLS, it's important you understand three main concepts; Users, Roles, and Rules. 让我们仔细了解这些概念:Let's take a closer look at these concepts:

用户 – 查看项目(仪表板、磁贴、报表或数据集)的最终用户。Users – End users viewing the artifact (dashboard, tile, report, or dataset). 在 Power BI Embedded 中,用户由嵌入令牌中的 username 属性进行标识。In Power BI Embedded, users are identified by the username property in an embed token.

角色 – 用户属于角色。Roles – Users belong to roles. 角色是规则的容器,并可以命名为“销售经理” 或“销售代表” 之类的名称。可以在 Power BI Desktop 中创建角色。A role is a container for rules and can be named something like Sales Manager or Sales Rep. You create roles within Power BI Desktop. 有关详细信息,请参阅 Power BI Desktop 行级别安全性 (RLS)For more information, see Row-level security (RLS) with Power BI Desktop.

规则 – 角色具有规则,并且这些规则要应用于数据的实际筛选器。Rules – Roles have rules, and those rules are the actual filters that are going to be applied to the data. 这些规则可以像“国家/地区 = 美国”一样简单,也可以是更动态的规则。The rules could be as simple as "Country = USA" or something much more dynamic. 在本文的剩余部分中,举例介绍了如何创作 RLS,再在已嵌入应用程序中使用此示例。For the rest of this article, there's an example of authoring RLS, and then consuming that within an embedded application. 我们的示例使用零售分析示例 PBIX 文件。Our example uses the Retail Analysis Sample PBIX file.

报表示例

使用 Power BI Desktop 添加角色Adding roles with Power BI Desktop

“零售分析”示例 显示了所有零售连锁店的销售额。Our Retail Analysis sample shows sales for all the stores in a retail chain. 如果不使用 RLS,无论哪个地区经理登录和查看报表,看到的数据全都相同。Without RLS, no matter which district manager signs in and views the report, they all see the same data. 高级管理人员已确定,每个地区经理只能看到自己所管理连锁店的销售额。Senior management has determined each district manager should only see the sales for the stores they manage. 使用 RLS,高级管理人员可以根据地区经理限制数据。Using RLS allows Senior management to restrict data based on a district manager.

RLS 在 Power BI Desktop 中进行编写。RLS is authored in Power BI Desktop. 当打开数据集和报表时,我们可以切换到关系图视图来查看架构:When the dataset and report are opened, we can switch to diagram view to see the schema:

Power BI Desktop 中的关系图视图

下面介绍了此架构的几个注意事项:Here are a few things to notice with this schema:

  • 所有度量值(例如,总销售额 )均存储在“销售” 事实数据表中。All measures, like Total Sales, are stored in the Sales fact table.

  • 另外还有四个相关维度表:“项目” 、“时间” 、“商店” 和“地区” 。There are four additional related dimension tables: Item, Time, Store, and District.

  • 关系行上的箭头指示筛选器从一个表流向另一个表的方式。The arrows on the relationship lines indicate which way filters can flow from one table to another. 例如,如果筛选器位于“时间[日期]” 上,在当前架构中,它将仅筛选出“销售” 表中的值。For example, if a filter is placed on Time[Date], in the current schema it would only filter down values in the Sales table. 由于关系行上的所有箭头均指向“销售”表,不会改变,因此,其他表不会受此筛选器的影响。No other tables are affected by this filter since all the arrows on the relationship lines point to the sales table and not away.

  • “地区” 表指示每个区的经理:The District table indicates who the manager is for each district:

    “地区”表中的行

根据此架构,如果我们将匹配查看报表的用户的筛选器应用于“地区” 表中的“地区经理” 列,此筛选器会通篇筛选“连锁店” 和“销售额” 表,以筛选出相应地区经理能看到的数据。Based on this schema, if we apply a filter to the District Manager column in the District table, and if that filter matches the user viewing the report, that filter down the Store and Sales tables to show data for that district manager.

下面介绍如何操作:Here's how:

  1. 在“建模” 选项卡中,选择“管理角色” 。On the Modeling tab, select Manage Roles.

    Power BI Desktop 中的“建模”选项卡

  2. 创建名为“经理” 的新角色。Create a new role called Manager.

    创建新角色

  3. 在“地区” 表中,输入以下 DAX 表达式:[District Manager] = USERNAME() 。In the District table, enter this DAX expression: [District Manager] = USERNAME().

    RLS 规则的 DAX 语句

  4. 为了确保这些规则能够生效,请在“建模” 选项卡上选择“以角色身份查看” ,再选中已创建的“经理” 角色和“其他用户” 。To make sure the rules are working, on the Modeling tab, select View as Roles, and then select both the Manager role you created, along with Other users. 输入 AndrewMa 作为用户。Enter AndrewMa for the user.

    “以角色身份查看”对话框

    此时,报表显示数据,就像你是以 AndrewMa 身份登录时一样。The reports show data as if you're signed in as AndrewMa.

应用该筛选器(我们此处进行的操作)筛选出“地区” 、“商店” 和“销售” 表中的所有记录。Applying the filter, the way we did here, filters down all records in the District, Store, and Sales tables. 不过,鉴于“销售额” 和“时间” 之间关系的筛选方向,“销售额” 和“项” 以及“项” 和“时间” 表不会进行通篇筛选。However, because of the filter direction on the relationships between Sales and Time, Sales and Item, and Item and Time tables aren't filtered down. 要了解有关双向交叉筛选的详细信息,请下载 SQL Server Analysis Services 2016 和 Power BI Desktop 中的双向交叉筛选白皮书。To learn more about bidirectional cross-filtering, download the Bidirectional cross-filtering in SQL Server Analysis Services 2016 and Power BI Desktop whitepaper.

将用户和角色应用于签入令牌Applying user and role to an embed token

至此,已配置 Power BI Desktop 角色。必须在应用程序中执行一些其他操作,才能利用角色。Now that you have your Power BI Desktop roles configured, some more work needs to be done in your application to take advantage of the roles.

用户由应用程序进行身份验证和授权,而嵌入令牌用于授予用户对特定 Power BI Embedded 报表的访问权限。Users are authenticated and authorized by your application and embed tokens are used to grant a user access to a specific Power BI Embedded report. Power BI Embedded 不具备有关用户身份的任何特定信息。Power BI Embedded doesn't have any specific information on who your user is. 为了让 RLS 能够正常运行,必须将某附加上下文作为标识形式的嵌入令牌的一部分进行传递。For RLS to work, you need to pass some additional context as part of your embed token in the form of identities. 可使用嵌入令牌 API 来传递标识。You can pass the identities by using the Embed Token API.

API 接受具有相关数据集指示的标识列表。The API accepts a list of identities with indication of the relevant datasets. 为了让 RLS 能够正常运行,必须将以下各部分内容作为标识的一部分进行传递。For RLS to work, you need to pass the below pieces as part of the identity.

  • 用户名(必需) - 有助于在应用 RLS 规则时标识用户的字符串。username (mandatory) – A string that can be used to help identify the user when applying RLS rules. 只能列出单个用户。Only a single user can be listed. 可以使用 ASCII 字符创建用户名。Your username can be created with ASCII characters.
  • 角色(必填) – 一个字符串,包含在应用“行级别安全性”规则时要选择的角色。roles (mandatory) – A string containing the roles to select when applying Row Level Security rules. 如果传递多个角色,则这些角色应该作为字符串数组传递。If passing more than one role, they should be passed as a string array.
  • 数据集(必需) - 适用于要嵌入的项目的数据集。dataset (mandatory) – The dataset that is applicable for the artifact you're embedding.

可以通过使用 PowerBIClient.Reports 上的 GenerateTokenInGroup 创建嵌入令牌。You can create the embed token by using the GenerateTokenInGroup method on PowerBIClient.Reports.

例如,可以更改 PowerBIEmbedded_AppOwnsData 示例。For example, you could change the PowerBIEmbedded_AppOwnsData sample. “Services\EmbedService.cs 第 76 行和第 77 行”可以从以下位置更新 :Services\EmbedService.cs line 76 and 77 could be updated from:

// Generate Embed Token.
var generateTokenRequestParameters = new GenerateTokenRequest(accessLevel: "view");

var tokenResponse = await client.Reports.GenerateTokenInGroupAsync(GroupId, report.Id, generateTokenRequestParameters);

toto

var generateTokenRequestParameters = new GenerateTokenRequest("View", null, identities: new List<EffectiveIdentity> { new EffectiveIdentity(username: "username", roles: new List<string> { "roleA", "roleB" }, datasets: new List<string> { "datasetId" }) });

var tokenResponse = await client.Reports.GenerateTokenInGroupAsync("groupId", "reportId", generateTokenRequestParameters);

如果调用的是 REST API,更新后的 API 现在接受包含用户名、字符串角色列表和字符串数据集列表的附加 JSON 数组“标识” 。If you're calling the REST API, the updated API now accepts an additional JSON array, named identities, containing a username, list of string roles and list of string datasets.

使用下面的示例代码:Use the following code below as an example:

{
    "accessLevel": "View",
    "identities": [
        {
            "username": "EffectiveIdentity",
            "roles": [ "Role1", "Role2" ],
            "datasets": [ "fe0a1aeb-f6a4-4b27-a2d3-b5df3bb28bdc" ]
        }
    ]
}

现在,将所有都组合在一起后,若有人登录应用程序查看此项目,只能看到行级别安全性规定允许其查看的数据。Now, with all the pieces together, when someone logs into your application to view this artifact, they'll only see the data that they're allowed to see, as defined by our row-level security.

使用 Analysis Services 实时连接Working with Analysis Services live connections

行级别安全性可用于本地服务器的 Analysis Services 实时连接。Row-level security can be used with Analysis Services live connections for on-premises servers. 使用这种类型的连接时,应该了解一些具体的概念。There are a few specific concepts that you should understand when using this type of connection.

为用户名属性提供的有效标识必须是具有 Analysis Services 服务器操作权限的 Windows 用户。The effective identity that is provided for the username property must be a Windows user with permissions on the Analysis Services server.

备注

使用带有 Azure Analysis Services 数据源的服务主体时,服务主体本身必须具有 Azure Analysis Services 实例权限。When using service principal with an Azure Analysis Services data source, the service principal itself must have an Azure Analysis Services instance permissions. 使用包含服务主体的安全组来实现此目的,这不起作用。Using a security group that contains the service principal for this purpose, doesn't work.

本地数据网关配置On-premises data gateway configuration

在使用 Analysis Services 实时连接时,将使用本地数据网关An On-premises data gateway is used when working with Analysis Services live connections. 当生成嵌入令牌时,如果列出标识,则主帐户需要列为网关的管理员。When generating an embed token, with an identity listed, the master account needs to be listed as an admin of the gateway. 如果主帐户未列出,行级别安全性不会应用于数据属性。If the master account isn't listed, the row-level security isn't applied to the property of the data. 网关的非管理员可以提供角色,但必须为有效标识指定其自己的用户名。A non-admin of the gateway can provide roles, but must specify its own username for the effective identity.

使用角色Use of roles

可以在嵌入令牌中通过标识提供角色。Roles can be provided with the identity in an embed token. 如果没有提供角色,则提供的用户名可用于解析相关角色。If no role is provided, the username that was provided can be used to resolve the associated roles.

使用 CustomData 功能Using the CustomData feature

CustomData 功能仅适用于驻留在 Azure Analysis Services 中的模型,并且仅在“实时连接” 模式下才起作用。The CustomData feature only works for models that lie in Azure Analysis Services, and it only works in Connect live mode. 与用户和角色不同的是,CustomData 功能不能在 .pbix 文件中设置。Unlike users and roles, the Custom data feature can't be set inside a .pbix file. 必须有用户名,才能使用 CustomData 功能生成令牌。When generating a token with the Custom data feature, you need to have a username.

借助 CustomData 功能,可以在应用程序中查看将 Azure Analysis Services 用作数据源的 Power BI 数据(在应用程序中查看已连接到 Azure Analysis Services 的 Power BI 数据)时添加行筛选器。The CustomData feature allows you to add a Row filter when viewing Power BI data in your application when using Azure Analysis Services as your data source (viewing Power BI data connected to Azure Analysis Services in your application).

借助 CustomData 功能,可使用 CustomData 连接字符串属性传递自定义文本(字符串)。The CustomData feature allows passing free text (string) using the CustomData connection string property. Analysis Services 通过 CUSTOMDATA() 函数使用此值 。Analysis Services uses this value via the CUSTOMDATA() function.

在 Azure Analysis Services 中使用动态 RLS(使用动态值进行筛选器计算)的唯一方法是,使用 CUSTOMDATA() 函数。The only way to have dynamic RLS (which uses dynamic values for filter evaluation) in Azure Analysis Services, is using the CUSTOMDATA() function.

可以在角色 DAX 查询中使用它,并且可以在度量值 DAX 查询中使用,而无需任何角色。You can use it inside the role DAX query, and you can use it without any role in a measure DAX query. CustomData 功能属于令牌生成功能,适用于以下项目:仪表板、报表和磁贴。CustomData feature is part of our token generation functionality for the following artifacts: dashboard, report, and tile. 仪表板可以具有多个 CustomData 标识(每个磁贴/模型一个)。Dashboards can have multiple CustomData identities (one per tile/model).

CustomData SDK 添加CustomData SDK Additions

CustomData 字符串属性已添加到令牌生成方案中的有效标识。The CustomData string property was added to our effective identity in the token generation scenario.

[JsonProperty(PropertyName = "customData")]
public string CustomData { get; set; }

借助以下调用,可使用自定义数据创建标识:The identity can be created with custom data using the following call:

public EffectiveIdentity(string username, IList<string> datasets, IList<string> roles = null, string customData = null);

CustomData SDK 用法CustomData SDK Usage

若要调用 REST API,可以在每个标识中添加自定义数据,例如:If you're calling the REST API, you can add custom data inside each identity, for example:

{
    "accessLevel": "View",
    "identities": [
        {
            "username": "EffectiveIdentity",
            "roles": [ "Role1", "Role2" ],
            "customData": "MyCustomData",
            "datasets": [ "fe0a1aeb-f6a4-4b27-a2d3-b5df3bb28bdc" ]
        }
    ]
}

下面逐步介绍了如何开始为 Power BI Embedded 应用程序设置 CustomData() 功能。Here are the steps to begin setting up the CustomData() feature with your Power BI Embedded application.

  1. 创建 Azure Analysis Services 数据库。Create your Azure Analysis Services database. 然后,通过 SQL Server Management Studio 登录 Azure Analysis Services 服务器。Then sign in to your Azure Analysis Services server via SQL Server Management Studio.

    创建 Azure Analysis Services 数据库

    Analysis Services 数据库

  2. 在 Analysis Services 服务器中创建角色。Create a Role in the Analysis Services server.

    创建角色

  3. 设置“常规” 设置。Set your General settings. 此时,提供“角色名称” ,并将数据库权限设置为“只读” 。Here you give the Role Name and set the database permissions to Read only.

    创建角色 - 设置“常规”设置

  4. 设置“成员资格” 设置。Set the Membership settings. 此时,添加受此角色影响的用户。Here you add te users that are affected by this role.

    创建角色 - 设置“成员资格”设置

  5. 使用 CUSTOMDATA() 函数设置 “行筛选器”DAX 查询。Set your Row filters DAX query using the CUSTOMDATA() function.

    创建角色 - 设置“行筛选器”

  6. 生成 PBI 报表,并将它发布到包含专用容量的工作区中。Build a PBI report and publish it to a workspace with dedicated capacity.

    PBI 报表示例

  7. 使用 Power BI API 在应用程序中使用 CustomData 功能。Use the Power BI APIs to use the CustomData feature in your application. 必须有用户名,才能使用 CustomData 功能生成令牌。When generating a token with the Custom data feature, you need to have a username. 用户名必须等于主用户的 UPN。The username must be equal to the UPN of the master user. 主用户必须是你创建的一个或多个角色的成员。The master user must be a member of the role(s) you created. 如果未指定任何角色,主用户所属的全部角色都用于 RLS 计算。If no role(s) are specified, then all the roles the master user is a member of are used for RLS evaluation.

    使用服务主体时,还需要执行上述步骤来代替使用主帐户。When working with a service principal, you also need to do the above steps in place of using a master account. 生成嵌入令牌时,使用服务主体对象 ID 作为用户名。When generating embed token, use the service principal object ID as the username.

    备注

    如果你已准备好将应用程序部署到生产,主用户帐户字段或选项不得对最终用户可见。When you're ready to deploy your application to production, the master user account field or option should not be visible to the end user.

    查看用于添加 CustomData 功能的代码View the code to add the CustomData feature.

  8. 现在可以在应用 CustomData 值前查看应用程序中的报表,以查看报表包含的所有数据。Now you can view the report in your application before applying the Custom data value(s) to see all the data your report holds.

    应用 CustomData 前

    然后,应用一个或多个 CustomData 值,看看报表是如何显示不同数据集的。Then apply the Custom data value(s) to see how the report displays a different set of data. 应用 CustomData 后After CustomData is applied

使用 RLS 与 JavaScript 筛选器Using RLS vs. JavaScript filters

决定筛选报表数据时,可使用行级别安全性 (RLS) 或 JavaScript 筛选器 。When deciding on filtering your data in a report, you can use row-level security (RLS) or JavaScript filters.

行级别安全性是在数据模型一级筛选数据的功能。Row-level security is a feature that filters data at the data model level. 后端数据源可控制 RLS 设置。Your backend data source controls your RLS settings. 根据数据模型,嵌入令牌生成流程会为会话设置用户名和角色。Based on your data model, the embed token generation sets the username and the roles for the session. 客户端代码无法替代、删除或控制它,正因为此,它被视为安全。It cannot be overridden, removed, or controlled by the client-side code and that's why it's considered secure. 建议将 RLS 用于数据的安全筛选。We recommend using RLS for filtering data securely. 若要使用 RLS 筛选数据,可采用下列方法之一。You can filter data with RLS by using one of the options below.

  • 在 Power BI 报表中配置角色Configuring roles in a Power BI report.
  • 在数据源一级配置角色(仅限 Analysis Services 实时连接)。Configuring roles at the data source level (Analysis Services live connection only).
  • 使用 EffectiveIdentity 以编程方式生成嵌入令牌Programmatically with an Embed Token using EffectiveIdentity. 使用嵌入令牌时,实际筛选器为特定会话传递嵌入令牌。When using an embed token, the actual filter passes through the embed token for a specific session.

使用 JavaScript 筛选器,可允许用户使用已减少、已限定范围或已筛选的数据视图。JavaScript filters are used to allow the user to consume reduced, scoped, or a filtered view of the data. 不过,用户仍有权访问模型架构表、列和度量值,并能访问其中任意数据。However, the user still has access to the model schema tables, columns, and measures and potentially can access any data there. 限制数据访问只能通过 RLS 应用,不能通过客户端筛选 API 应用。Restricted access to the data can only be applied with RLS and not through client-side filtering APIs.

基于令牌的标识与 Azure SQL 数据库Token-based Identity with Azure SQL Database

基于令牌的标识 允许你指定嵌入令牌的有效标识,方法是为 Azure SQL 数据库 使用 Azure Active Directory (AAD) 访问令牌。The token-based identity allows you to specify the effective identity for an embed token using Azure Active Directory (AAD) access token for an Azure SQL Database.

将数据保存在 Azure SQL数据库 中的客户,现在可以在与 Power BI Embedded 集成时,使用新功能来管理用户以及他们对 Azure SQL 中数据的访问。Customers that hold their data in Azure SQL Database can now enjoy a new capability to manage users and their access to data in Azure SQL when integrating with Power BI Embedded.

在生成嵌入令牌时,可以在 Azure SQL 中指定用户的有效标识。When you're generating the embed token, you can specify the effective identity of a user in Azure SQL. 通过将 AAD 访问令牌传递到服务器,可以指定用户的有效标识。You can specify the effective identity of a user by passing the AAD access token to the server. 访问令牌仅用于从 Azure SQL 中为特定会话提取该用户的相关数据。The access token is used to pull only the relevant data for that user from Azure SQL, for that specific session.

它可以用于在 Azure SQL 中管理每个用户的视图,或者以多租户数据库中特定客户的身份登录到 Azure SQL。It can be used to manage each user's view in Azure SQL or to sign in to Azure SQL as a specific customer in a multi-tenant DB. 还可以在 Azure SQL 中对该会话应用行级别安全性,并且只检索该会话的相关数据,而无需在 Power BI 中管理 RLS。It can also apply row-level security on that session in Azure SQL and retrieve only the relevant data for that session, removing the need to manage RLS in Power BI.

此类有效标识问题直接应用于 Azure SQL Server 上的 RLS 规则。Such effective identity issues apply to RLS rules directly on the Azure SQL Server. Power BI Embedded 在从 Azure SQL Server 查询数据时使用提供的访问令牌。Power BI Embedded uses the provided access token when querying data from the Azure SQL Server. 可通过 USER_NAME() SQL 函数访问用户的UPN(已为其提供访问令牌)。The UPN of the user (for which the access token was provided) is accessible as a result of the USER_NAME() SQL function.

基于令牌的标识只适用于专用容量上的 DirectQuery 模型 - 连接到 Azure SQL 数据库,该数据库被配置为允许进行 AAD 身份验证(详细了解 Azure SQL 数据库的 AAD 身份验证)。The token-based identity only works for DirectQuery models on dedicated capacity - connected to an Azure SQL Database, which is configured to allow AAD authentication (learn more about AAD authentication for Azure SQL Database). 数据集的数据源必须配置为使用最终用户的 OAuth2 凭据,以使用基于令牌的标识。The dataset's data source must be configured to use end users' OAuth2 credentials, to use a token-based identity.

配置 Azure SQL 服务器

基于令牌的标识 SDK 添加件Token-based Identity SDK additions

标识 blob 属性已添加到令牌生成方案中的有效标识。The identity blob property was added to our effective identity in the token generation scenario.

[JsonProperty(PropertyName = "identityBlob")]
public IdentityBlob IdentityBlob { get; set; }

IdentityBlob 类型是包含值字符串属性的简单 JSON 结构The IdentityBlob type is a simple JSON structure holding a value string property

[JsonProperty(PropertyName = "value")]
public string value { get; set; }

借助以下调用,可使用标识 blob 创建 EffectiveIdentity:The EffectiveIdentity can be created with identity blob using the following call:

public EffectiveIdentity(string username, IList<string> datasets, IList<string> roles = null, string customData = null, IdentityBlob identityBlob = null);

可以使用以下调用创建标识 blob。Identity blob can be created using the following call.

public IdentityBlob(string value);

基于令牌的标识 REST API 的使用情况Token-based Identity REST API Usage

若要调用 REST API,可以在每个标识中添加标识 blob。If you're calling the REST API, you can add identity blob inside each identity.

{
    "accessLevel": "View",
    "identities": [
        {
            "datasets": ["fe0a1aeb-f6a4-4b27-a2d3-b5df3bb28bdc"],
        "identityBlob": {
            "value": "eyJ0eXAiOiJKV1QiLCJh…."
         }
        }
    ]
}

标识 blob 中提供的值应是 Azure SQL Server 的有效访问令牌(资源 URL 为 (https://database.windows.net/))。The value provided in the identity blob should be a valid access token to Azure SQL Server (with a resource URL of (https://database.windows.net/).

备注

要为 Azure SQL 创建访问令牌,应用程序必须在 Azure 门户中的 AAD 应用程序注册配置上具有“访问 Azure SQL DB 和数据仓库” 的委派权限,以访问 Azure SQL 数据库 API。To be able to create an access token for Azure SQL, the application must have Access Azure SQL DB and Data Warehouse delegated permission to Azure SQL Database API on AAD app registration configuration in the Azure portal.

应用注册

本地数据网关与服务主体On-premises data gateway with service principal

如果与 Power BI Embedded 集成,则使用 SQL Server Analysis Services (SSAS) 本地实时连接数据源配置行级别安全性 (RLS) 的客户能够享受使用新的服务主体功能管理用户及其对 SSAS 中数据的访问权限 。Customers that configure row-level security (RLS) using an SQL Server Analysis Services (SSAS) on-premises live connection data source can enjoy the new service principal capability to manage users and their access to data in SSAS when integrating with Power BI Embedded.

通过 Power BI REST API 可以使用服务主体对象为嵌入令牌指定 SSAS 本地实时连接的有效标识。Using Power BI REST APIs, allows you to specify the effective identity for SSAS on-premises live connections for an embed token using a service principal object.

到目前为止,为能够指定 SSAS 本地实时连接的有效标识,生成嵌入令牌的主用户必须是网关管理员。现在,不需要用户是网关管理员,网关管理员可为该数据源授予用户专用权限,这使用户能够在生成嵌入令牌时覆盖有效标识。Until now, to be able to specify the effective identity for SSAS on-premises live connection, the master user generating the embed token had to be a gateway admin. Now, instead of requiring the user to be gateway admin, the gateway admin can give the user dedicated permission to that data source, that allows the user to override the effective identity when generating the embed token. 此项新功能支持使用实时 SSAS 连接的服务主体进行嵌入。This new ability enables embedding with service principal for a live SSAS connection.

若要支持此方案,网关管理员使用添加数据源用户 REST API 对服务主体授予 Power BI Embedded 的 ReadOverrideEffectiveIdentity 权限 。To enable this scenario, the gateway admin uses the Add Datasource User REST API to give the service principal the ReadOverrideEffectiveIdentity permission for Power BI Embedded.

无法通过管理门户设置此权限。You can't set this permission using the admin portal. 只能使用 API 设置此权限。This permission is only set with the API. 在管理门户中,可以看到具有此类权限的用户和 SPN 指示。In the admin portal, you see an indication for users and SPNs with such permissions.

注意事项和限制Considerations and limitations

  • 使用嵌入令牌时,在 Power BI 服务中将用户分配到角色不会影响 RLS。Assignment of users to roles within the Power BI service doesn't affect RLS when using an embed token.
  • 虽然 Power BI 服务不会将 RLS 设置应用于管理员或拥有编辑权限的成员,但如果你提供具有嵌入令牌的标识,它也会应用于数据。While the Power BI service doesn't apply RLS setting to admins or members with edit permissions, when you supply an identity with an embed token, it applies to the data.
  • 本地服务器支持 Analysis Services 实时连接。Analysis Services live connections are supported for on-premises servers.
  • Azure Analysis Services 实时连接支持按角色筛选。Azure Analysis Services live connections support filtering by roles. 可使用 CustomData 执行动态筛选。Dynamic filtering can be done using CustomData.
  • 如果基础数据集不需要 RLS,则 GenerateToken 请求不 得包含有效的标识。If the underlying dataset doesn't require RLS, the GenerateToken request must not contain an effective identity.
  • 如果基础数据集是云模型(已缓存模型或 DirectQuery),有效标识至少必须包含一个角色,否则无法执行角色分配。If the underlying dataset is a cloud model (cached model or DirectQuery), the effective identity must include at least one role, otherwise role assignment doesn't occur.
  • 使用标识列表可以嵌入仪表板的多个标识标记。A list of identities enables multiple identity tokens for dashboard embedding. 对于其他所有项目,该列表包含单个标识。For all others artifacts, the list contains a single identity.

基于令牌的标识限制Token-based Identity limitations

  • 只有拥有专用容量,才能使用 RLS。You can use RLS only if you have a dedicated capacity.
  • RLS 不适用于本地 SQL Server。RLS doesn't work with SQL Server on-premises.

更多问题?More questions? 尝试咨询 Power BI 社区Try asking the Power BI Community