Deploy role also deploys role members

[UlfenB]

I have a model created in Visual Studio with roles and RLS set up. Members are added to the roles. However, the new Power BI Premium XMLA endpoint doesn't support role members at the moment. When I try to deploy and check "Deploy Roles" but not "Deploy Role Members" Tabular Editor still tries to deploy the members resulting in an error. If I export a TMSL script I can see the role members. If I remove the members manually and run the script the deploy is working.

[otykier]

When you check "Deploy Roles" but uncheck "Deploy Role Members", Tabular Editor populates the TMSL script with the members already defined in the destination database, instead of those that may have been defined within Tabular Editor. If we send an empty array of role members for any given role in the TMSL, Analysis Services would remove any existing members from that role upon deployment.

Now, this functionality was created for Analysis Services where it works well, and we know that adding role members through XMLA is not yet supported on the Power BI XMLA endpoint. But I'm confused about the role members that showed up in your TMSL script? To my knowledge, if you've added members through the Power BI Service UI, these members would not show up in XMLA. Indeed - they don't show up in SSMS either.

So with "Deploy Role Members" unchecked, I don't understand why you're seeing role members in the TMSL script - these must have come from the Power BI service somehow.

Even if I change the behaviour of Tabular Editor, to not include existing role members from the destination dataset when deploying to Power BI XMLA, I would have to change it back at a later point in time, once the XMLA endpoint supports adding role members. So you can probably understand why I'm a little hesitant to change this.

Could a workaround in the mean time be, that you manually remove the role members within Tabular Editor before deploying?

To make this a little easier, here's a script you can use, which will clear all roles of their members in one go:

foreach(var role in Model.Roles)
    role.ClearMembers();

[UlfenB]

First of all - thank you Daniel for looking into the problem and for all your great work on Tabular Editor!

I agree to everything in your comment, and hopefully the XMLA endpoint will soon fully support roles and the problem goes away... But there is still one thing I find strange - I get members in the roles in the script even when deploying to an empty workspace with no model deployed before. Are the members from the bim file added if it's not possible to fetch them from the server? This is a part of the generated script:

"roles": [ { "name": "Chefer", "description": "AAD.PowerBI.Chef - Dynamisk säkerhet baserad på chefsskap i MasterData", "modelPermission": "read", "members": [ { "memberName": "AAD.PowerBI.Chef@xxxx.onmicrosoft.com", "memberId": "AAD.PowerBI.Chef@xxxx.onmicrosoft.com", "identityProvider": "AzureAD" } ], "tablePermissions": [ { "name": "Behörighet Organisation chef", "filterExpression": "'Behörighet Organisation chef'[Emailadress]=USERNAME()" } ] }

[otykier]

Aha - that's a bug in the script generated when deploying a model as a new dataset (when writing my previous comment, I had only tested deployment with overwriting an existing dataset, which is a different code path). Thanks! I'll make sure this is fixed in next release.

[UlfenB]

Great! Thank's again!

[otykier]

Fixed in 2.12.0.

[saurbshnde]

@otykier , Hey Daniel - any future plans to deploy the role members data as well from tabular editor with XMLA endpoint to Power BI dataset ?

[otykier]

@saurbshnde if your model metadata contains role members, they should already get deployed, when checking both "Deploy roles" and "Deploy role members".

[saurbshnde]

@otykier Hey Daniel, thanks with some tweaks we were able to deploy role members data too. Thanks again for prompt response.

[saurbshnde]

@otykier Hey Daniel, As we were able to succesfully convert a SSAS tabular cube to a Power BI dataset through XMLA endpoint on Tabular editor along with Role member data too.

I wanted to know does this mean that DAX logics we had written for RLS on the SSAS side will also get migrated to Power BI service and doesn't need any further tweaks ? Appreciate your support, thanks!

[otykier]

@saurbshnde if your deployment included the roles (you can verify this by opening the Power BI dataset in Tabular Editor through XMLA), then your RLS expressions should be intact. However, I still suggest you test that the security works as expected, by impersonating a user in the Power BI service.

[saurbshnde]

@otykier Thanks Daniel, I will check this out! and keep you posted :)

[saurbshnde]

@otykier Hey Daniel, I could see that the DAX rules got deployed onto the PowerBI dataset. However on the Power BI side, I cannot see the RLS getting applied. May be an issue or some configuration miss at the POwer BI side from us.