Power BI
NewQueries using the API from a Service Principal on Datasets with Row Level Security.
Tucker Lannon on 09 Nov 2021 21:33:02
Queries using the API from a Service Principal on Datasets with Row Level Security should be a feature. It would be nice to be able to use a service principal to return query results on data sets with row level security enabled.
- Comments (3)
RE: Queries using the API from a Service Principal on Datasets with Row Level Security.
I totally agree. And I even think that the reason for this limitation is invalid. The documentation says this:"Service Principals aren't supported for datasets with RLS per RLS limitations or with SSO enabled".This implies that a Service Principal can't be added to a RLS role and hence a Service Principal can't be used to access a dataset with RLS. But... Since there's a requirement that the account doing rest API calls shall be either Admin or Member of the workspace, that account does anyway by-pass the RLS rules. There might be good reasons for the limitation, but as I read the documentation, the correct reason is not listedSince REST API calls towards a RLS enabled dataset is possible already today using a none Service Principal (e.g. my personal account or even worse a single factor service account) we must relay on none secure solutions for this and that is not ok. Please Microsoft put down some work into this so we can secure our most valuable datasets that we protect using RLS
RE: Queries using the API from a Service Principal on Datasets with Row Level Security.
So I went through all the work of changing everything in our app to use an SPN for authentication, only to hit a roadblock in that ExecuteQueries API endpoint doesn't support SPNs. Ideally you should be able to pass in an Effective Identity in the same manner as generating an embed token. I wouldn't be totally blocked if I could at least run the query without RLS using the SPN in the same manner as connecting to the XMLA endpoint works. That would be better than nothing that we currently have.
RE: Queries using the API from a Service Principal on Datasets with Row Level Security.
Please add this feature to Dataset Execute Queries. We need it!