Rule-based User Names for Power BI Hybrid Solutions
We have a great new enhancement to the Power BI Gateway – Enterprise that just came out! Many organizations are planning hybrid Power BI solutions where report and dashboard definitions are deployed to Power BI but remain in SSAS Multidimensional or Tabular semantic models on premises. At the same time, many organizations have run into the dreaded Windows security issues when the user principle name (UPN) is in a different domain than the domain where SSAS is installed. Or the domains might not have a trusted relationship. In this case, the gateway can’t delegate EffectiveUserName to SSAS and the connection fails because it comes as an anonymous user. As a workaround, you can assign aliases in active directory but for many organizations AD changes are simply not an option.
To circumvent this issue, the latest release of the gateway now allows rules. Suppose that I log in to Power BI with user1@prologika.com but the SSAS server is installed on the acme domain. Now, the gateway administrator can set up a rule on the gateway properties that replaces “prologika” with “acme” (make sure to click the Add button to add the rule). Then, you can test the rule with some user accounts. As you can see from the screenshot and from the announcement, Microsoft also plans to support CustomData in near future. This might be useful in the scenarios where you don’t care about the actual user UPN when applying data security in SSAS. For example, you can say that all users belonging to the acme1 and acme2 domains are “Acme Users”. Then, you can use the CustomData() function (supported in both Multidimensional and Tabular) to return the mapped string and apply whatever security rules are needed for Acme Users.
With this release, Power BI Gateway – Enterprise allows all organizations to maximize their investment in SSAS irrespective and implement hybrid Power BI solutions irrespective of their AD domain setup.