Hi,
We are trying to set up a new Azure Analysis Services(AAS) model which will be locked down only to a small set of report developers as it will contain sensitive data.
These report developers should be able to connect to the model and build their own reports and publish them to the Power BI service. If they share the reports with end-users(report viewers), the latter should be able to view the reports. However, these report viewers should not be able to connect directly to the model via Power BI Desktop.
If we were to add a READ-only role on the model, and add only report developers to that role, report viewers would not be able to see the data when reports have been shared with them.
If we were to add report viewers as well to the role, they would be able to see the data in the reports but that would also enable them to SEE the model and create their own reports via Power BI Desktop(AAS connector), if they somehow managed to get the AAS server name.
This link states that:
When connecting from Power BI to Azure Analysis Services, you are connected as your Azure Active Directory identity. This is the same identity as you would have used to sign into Power BI. If you share the report to any other users, you must ensure those users have access to your model.
Isn't there a way to use something like a service account for authentication. If there is a way to do so, then I imagine that we only need to add the service account and the report developers' accounts to the database role on the AAS model. Then set up a Power BI gateway and add the AAS model as a datasource along with the service account's credentials.
This way, report develoeprs will be able to author reports in Power BI Desktop and publish to the Power BI service using their personal credentials.
When the reports have been shared, report viewers will be able to see the data, assuming the authentication happens via the service account credentials on the gateway. However, they will not be able to create reports via Power BI Desktop as their personal credentials would not have access to the model.
Thank you for reading the lengthy post. Would really appreciate if someone could give pointers to solve this problem. Thanks in advance!