Skip to content

Microsoft Fabric

Screenshot

Satori integrates with Microsoft Fabric to automate row-level security directly in PowerBI semantic models. Using this integration, row-level security policies in Satori are translated to PowerBI row-level security rules, ensuring consistent policy enforcement in both PowerBI Direct Query and Import Mode.

Integration Overview

The integration process involves the following steps:

  1. A Satori administrator defines row-level security policies in the Satori management console. The policies leverage group membership or user attributes that were synchronized from Microsoft Entra ID to Satori.
  2. The security policies are exported and stored in a Azure Data Lake Gen2 storage account on the customer's Azure tenant.
  3. A PowerBI engineer imports the security policies into the PowerBI semantic model using PowerBI Desktop. (This is a one-time task).
  4. The PowerBI project is published to a PowerBI Service workspace.
  5. Data consumers view the reports and other artifacts based on the semantic model. The policies that were imported by the BI engineer enforce access to the data.
  6. Whenever a policy changes, for example, when users join or leave groups, the policies are exported by Satori and imported to PowerBI service on the next refresh schedule, ensuring continuous and accurate policy enforcement.

Screenshot

Prerequisites

Enable Microsoft Fabric APIs

Perform the following steps to grant Satori access to Microsoft Fabric:

  1. Go to the Admin portal of your Microsoft Fabric account.
  2. Click the settings button on the toolbar and open the Admin portal.
  3. Select the Tenant settings section and scroll down to Admin API settings.
  4. Enable the Service principal can access read-only admin APIs toggle.
  5. Enable the Enhance admin APIs responses with detailed metadata toggle.

NOTE: Choose whether to enable these settings to the entire organization or to specific security groups.

Connect Satori to Microsoft Fabric

Perform the following steps to create an Azure service principal for Satori to connect to your Fabric workspace(s):

  1. Create an enterprise application in Microsoft Entra ID for Satori, for example: Satori Fabric Integration.
  2. Define a new application registration for the application you created.
  3. Select Overview and copy the Application (client) ID from the input field (This will be required later in the configuration process).
  4. Select Certificates and secrets, create a new Client Secret and copy the Secret Value from the input field (This will be required later in the configuration process).
  5. If you selected to enable the admin settings in the previous section for a specific group, make sure the service pricinpal you created is a member of that group.
  6. Ensure the service principal has write premissions to a folder in a Azure Data Lake Storage Gen2 storage account.

Adding a Microsoft Fabric Data Store to Satori

Screenshot

Perform the following steps to add an Microsoft Fabric data store to your Satori account:

  1. Login to the Satori Management Console.
  2. Go to the Data Stores view and click the Add Data Store button.
  3. Select the Microsoft Fabric option.
  4. Provide an informative name for the data store, for example: Sales Analytics Fabric Workspace.
  5. Enter your Workspace ID.
  6. Enter the Microsoft Tenant ID.
  7. Enter the Client ID (copied in the previous section).
  8. Enter your Client Secret (copied in the previous section).
  9. In the Data Access Controller (DAC) section select the cloud provider and region of the DAC to use for connecting to your Azure environment.
  10. Click the Add New Data Store button.
  11. You will be redirected to the Data Stores list view.

Note: Once the datastore is successfully configured the scan will start automatically and the data inventory will be populated.

Setting Up the Microsoft Fabric Data Store

In this step, you configure the storage account folder where Satori will export the policies. After you copy the URL of your folder, contact your Satori representative or open a support ticket to update the URL in Satori.

The folder URL should have the following format: https://{STORAGE ACCOUNT NAME}.{STORAGE ACCOUNT HOSTNAME}/{PATH}. For example: https://satoridemo.blob.core.windows.net/powebi/powerbi-demo.

Optional - Using Fabric Lakehouse as your Storage Account

In the event that you would like to use Fabric lakehouse as your storage account, you need to fetch the storage account path by performing the following steps:

  1. Login in into your Fabric Lakehouse
  2. In the explorer panel, Click on the folder that you created for satori.
  3. Click on the three dots icon that appears and then select the Properties list item.
  4. Copy the Properties URL

Importing a Security Policy to a PowerBI Project

Once you have created an RLS security policy for your Fabric data store in Satori, you must import it to your PowerBI project. For each table in the PowerBI semantic model that needs to be filtered, Satori exports three files:

  1. A dax.txt file containing the DAX expression with the filtering logic to be applied on the table.
  2. A parquet file that contain the values of the filters for each user.
  3. A CSV file that contain the same data as in the parquet file in a readable format that can be used for troubleshooting.

To apply the RLS security policy to the Fabric semantic model perform the following tasks:

  1. Open your semantic model in Power BI Desktop
  2. Create a table called satori_user_filter from the csv or parquet file that Satori uploaded into your Azure Data Lake Storage Gen2.

Note: To understand how to load tables from Azure storage to Power BI, refer to the following tutorial.

To apply a DAX filter to a table perform the following tasks:

  1. Copy the content of the DAX file.
  2. Click the Manage Roles button in the toolbar and create a new role.
  3. Select the table you need to filter from the list and then paste the content into Table Filter DAX expression input.
  4. Click Save.
  5. Publish the semantic model to a PowerBI workspace.

Activating the RLS Policy in PowerBI Service

The final step is to assign users to the role you created in the previous step:

  1. Login to PowerBI service.
  2. Go to the semantic-model security configuration and add users to the role you created for the RLS policy in PowerBI desktop. It is common to select a group and not individual users, for example: All Users.
  3. Refresh your semantic model to ensure that PowerBI service is able to load policy updates from Azure storage.

Security Validation

To validate that everything is working correctly, perform the following steps:

  1. Go to the Workspace view and select your semantic model line on the table, then click on the three dots icon and select Security from the list menu.
  2. Now go to the role you just created and click on the three dots icons and select Test as Role.
  3. Click the Now Viewing As: tab and select the Select Person tab.
  4. Now enter the name of the user that you wish to test and ensure that the report is filtered correctly.

Updating the Fabric Security Policy

A well-crafted policy, such as a policy based on Microsoft Entra ID groups or user attributes is less likely to require changes. However, in the event that you need to change your row-level security rules in Satori, you will have to re-import the policy to your semantic model in PowerBI Desktop and publish it to PowerBI Service.