Hi everyone,
Looking for some advice and best-practice!
I need to know what the least required Active Directory related permissions are for SSAS to 'impersonate' a given user via the EffectiveUsername property, see the question in bold below.
Situation:
- Power BI Gateway running.
- SSAS tabular instance running. Service Account = SA1.
- A data source for a SSAS tabular database configured in the Gateway, with a connection using SA2.
- SA2 is Administrator of the SSAS tabular instance.
Problem:
- if UserA opens a report in the Power BI Service that's based on the configured data source, it works fine. UserA is sent to the database via the EffectiveUsername prop, the user has read access via a Role and data gets returned.
- if UserB opens the same report, the Gateway connection fails and "The user name or password is incorrect" message appears in the Gateway log and profiler trace.
After a long adventure of troubleshooting and digging we found the difference:
- UserA has "Allow Read" permissions on the "Authenticated Users" group, if you look at the security tab of his Active Directory account.
- UserB does not have that permission active.
If we check the box for UserB, the connection works!
So I can only conclude that the impersonation or check that SSAS (or the Gateway?) does - on the value provided in the EffectiveUsername prop - needs to be able to read (some) properties on the AD user.
Question:
Since the IT guys are prudent on checking the "Allow Read" permission on all AD users:
What are the least required permissons required for this scenario to work, and/or what is the best practice regarding this "Allow Read" permission?