This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(86.4, 53%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVD%3C/text%3E%3C/svg%3E)
We have several SSAS data models and folks connect to those typically via Power BI Report Server Reports or SSRS reports that we have developed. All users are expected to use the dashboards/reports only.
However, there are some users who are aware of the SSAS server name and connect/pull data from it via Excel, SSMS or other means. This has caused serious issues sometimes as those users end up pulling information incorrectly.
We want to restrict folks from being able to connect to the data models directly except of course via our reports/dashboards. We would still like to have the ability to connect to these ourselves i.e. our core team (This is ideal but can be lived without if required)
Is there a way we can achieve that?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(54.400000000000006, 85%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDG%3C/text%3E%3C/svg%3E)
There is no built-in mechanism in SSAS to restrict access based on the type of clients tool.
Off the top of my head I can think of a couple of potential solutions.
Thanks Darren. We do have row level security so option 2 is not feasible. Blocking at the network level of course would be the last resort but I don't think our requirement is as critical to take such a drastic step.
One of the possible options we were trying to explore was leveraging the CustomData field to kind of create an extra layer or let's say "soft" security.
i.e. In all the row-level security logic, we will add an extra condition to check if the the CustomData value is "secret code". So unless the "secret code" is passed in the connection string, a user will not be able to see any data.
This method did seem to work but only for SSRS reports and Excel. PBIRS reports did not seem to pass the CustomValue to the model's row level security logic though.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(252.8, 9%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELY%3C/text%3E%3C/svg%3E)
PBIRS and SSRS are almost same product, so I thought they should have similar behavior for this call.
Hi,
We could not control the client tool and forbidden certain softwares from connecting.
My ideal is to change the tabular server password, if the normal user only need to connect to data through SSRS/PBIRS, this is no need to share them the SSAS server permission and password.
They only need to have SSRS/PBIRS logon account and password, with which they could log on to SSRS PBIRS web portal and browse the report.
Regards,
Lukas
All users connect via their company Active Directory login and not specific username/password as such.
These users don't have any explicit permission as such to the server. They are just added as Members under the SSAS Model > Roles > Membership section to enable row level security.
This method did seem to work but only for SSRS reports and Excel. PBIRS reports did not seem to pass the CustomValue to the model's row level security logic though.
Unfortunately you cannot add any additional parameters to the connection string for PBIX based reports. The SSAS connector only accepts the server name and database name, any other options are ignored. So sneaking something into the connection string is not an option for those.
Would you say that's a possible bug though or it's by design for some reason. I feel it's a bug or just something that kind of got overlooked given it works perfectly fine with SSRS reports.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(272, 47%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDG%3C/text%3E%3C/svg%3E)
Unfortunately I believe this is by design. Internally Power BI Desktop uses the AnalysisServices.Database M function to connect live to SSAS and that function only has parameters for server, database and a few select options like some of the timeouts.
I actually ended up trying it again and it worked like a charm with PBIRS reports too.
Basically 2 steps:-
The customdata value can be added in Excel, DAX Studio, PBIRS, SSRS reports etc as needed. If it's not passed then user does not see any data. If it's passed, user sees the data he/she has access to as per the RLS security.
Essentially, unless someone knows the "CodeWord" they can't access the data from any other application.
When you say PBIRS reports are you talking about RDL based reports or PBIX. Last time I tried adding extra connection string arguments to a connection string for a PBIX based report they were ignored, but this was a few years ago that I tried this. Maybe there was an update for this.
PBIX. Looks like this has started working recently. Even I had tried it some time ago and decided to try again today and it worked.
Just realized I'm in conversation with the creator of Dax Studio himself! :) Thanks for building such an awesome tool. Use it every single day.
Thanks for that, it's always nice to hear when people enjoy using my tool :)