Manage Permissions in Azure Analysis Services

This document outlines how to manage user and service principal permissions for Azure Analysis Services models. Proper permission management is crucial for ensuring data security and controlling access to your analytical data.

Understanding Permission Roles

Azure Analysis Services uses role-based access control to define permissions. You can assign users and service principals to predefined roles or create custom roles. The following are the primary roles and their associated permissions:

Administrator

Full control over the Azure Analysis Services server and its models.

  • Create, delete, and manage databases (models).
  • Assign roles and manage other users' permissions.
  • Configure server settings.
  • Deploy and process models.

Read

Allows users to connect to the server and query data within models they have access to.

  • Query data using tools like Power BI, Excel, or Analysis Services client libraries.
  • View metadata of databases and objects.

Process

Grants permission to process (refresh) data in models.

  • Trigger data refreshes for models.
  • This role does not grant data read access.

Custom Roles

You can create custom roles to define granular permissions for specific objects within a model, such as tables, columns, or specific data subsets (row-level security).

  • Define specific read, write, or execute permissions.
  • Implement row-level security (RLS) and object-level security (OLS).

Steps to Manage Permissions

1. Accessing Role Management in Azure Portal

You can manage permissions directly through the Azure portal for your Azure Analysis Services server.

  1. Navigate to your Azure Analysis Services server resource in the Azure portal.
  2. In the server menu, under "Settings", select "Permissions".
  3. Here you will see existing roles and can add new users or service principals.

2. Assigning Users and Service Principals to Roles

To grant access, you assign Azure Active Directory (Azure AD) users, groups, or service principals to the desired roles.

  1. On the "Permissions" page, click "+ Add".
  2. Enter the name or email address of the user, group, or service principal.
  3. Select the role you want to assign from the dropdown list.
  4. Click "OK" to save the assignment.

3. Managing Permissions at the Model Level (using SSMS or Tabular Editor)

For more granular control, especially for custom roles and row-level security, you will typically use SQL Server Management Studio (SSMS) or Tabular Editor.

Using SQL Server Management Studio (SSMS):

  1. Connect to your Azure Analysis Services server using SSMS.
  2. Right-click on the database (model) you want to manage permissions for.
  3. Select "Properties".
  4. Navigate to the "Security" page.
  5. Here you can manage roles defined within the model and assign database users to these roles.
  6. To create or edit roles with granular permissions, use the "Roles" section in the model designer within SSMS or Tabular Editor.

Using Tabular Editor:

Tabular Editor is a powerful third-party tool that provides a visual interface for managing Analysis Services Tabular models, including roles and security.

4. Implementing Row-Level Security (RLS)

RLS allows you to restrict data access for users based on their identity or role. This is configured within the model itself.

In SSMS or Tabular Editor, when defining a role, you can apply filters to tables that determine which rows a user assigned to that role can see. For example, a sales manager role might only see sales data for their region.

-- Example DAX filter for a 'Sales Manager' role on the 'Sales' table
VAR UserRegion = LOOKUPVALUE(Users[Region], Users[UserName], USERPRINCIPALNAME())
RETURN
    FILTER(Sales, Sales[Region] = UserRegion)

Best Practices

For detailed information on specific DAX syntax for RLS and OLS, refer to the official Microsoft documentation.