# Windows AD user (Analysis Services)

When using Analysis Services and implementing a Row-Level Security (RLS) rule, it is common to face the challenge of having to map users individually in Power BI.

<figure><img src="/files/rxaU3uaesg3nkbtRK3J8" alt=""><figcaption><p>Mapping you need to do for each user, in each SSAS cube</p></figcaption></figure>

If you do not perform this mapping, you will see the following error message in Power BI when trying to access a report that is connected to Analysis Services (SSAS):

<figure><img src="/files/HBUrWPTeHuvbPWdXUfGq" alt=""><figcaption></figcaption></figure>

This process becomes even more complex when there are multiple cubes, requiring repetitive configuration for each cube, which can be both time-consuming and error-prone.

To access a report that uses Analysis Services in Power BI service, you must configure a user mapping, providing the Entra ID user (<user@domain.com>) and the Windows Active Directory user (DOMAIN\user) for each user and in each cube they will access.

If you have 100 users and 20 cubes, you would need to create 2,000 mappings! And there is no Power BI API to automate this.

### Power Embedded Always Innovating

To improve the experience of our users, Power Embedded is introducing significant improvements to simplify this configuration.

On the user creation/editing screen, you can enter the Windows Active Directory (AD) username for this user.

<figure><img src="/files/vMYhYrBQ9ewwXsqELukk" alt=""><figcaption></figcaption></figure>

When accessing a report that uses an "AnalysisServices" type data source, Power Embedded will pass this Windows AD user, eliminating the need to manually configure the user mapping in Power BI service for each user/cube.

With this new feature, once the "Windows AD User" field is filled in, Power Embedded automatically applies this configuration to all accessible cubes for this user, significantly reducing the complexity and effort required to maintain data security.

Although Power BI does not have an API to automate this user mapping, Power Embedded has [an API](https://api.powerembedded.com.br/) where you can automate user registration/updates and set the value of this field.

These improvements not only optimize security administration, but also reduce the workload associated with configuring and maintaining RLS in complex, large-scale environments, providing more efficient and less error-prone data management.

{% hint style="warning" %}
**Note:** This feature takes priority over the user pinning configuration by company in the Data Sources registration ([Help – Data Sources](https://docs.powerembedded.com.br/administracao/artefatos/fontes-de-dados)). With this field filled in, the system will use this value in the user's AD mapping and ignores the user pinning configuration.
{% endhint %}

### Adding Administrator Permission to the Gateway

For Power Embedded to implement row-level security (RLS) on cubes that use this Gateway, it is necessary to grant Administrator permission to the application user (PowerEmbedded-App) on the Gateway via Power BI Service.

Access the [Manage connections and gateways](https://app.powerbi.com/groups/me/gateways) screen and click on the ***Manage on-premises data gateways*** option.

<figure><img src="/files/H4UPtDMKF3CkavQ77p0U" alt=""><figcaption></figcaption></figure>

Now click on the 3 ellipses (…) next to the gateway you want to grant permission to and select the Manage Users option.

<figure><img src="/files/NwiHa9evOjBzJxGrp2ZI" alt=""><figcaption></figcaption></figure>

On the user management screen, search for the name of the application you are using in Power Embedded (the default name is *PowerEmbedded-App*), check the Administrator permission, and click the **Share** button.

<figure><img src="/files/3SI5h7omz3938dT7iX7l" alt=""><figcaption></figcaption></figure>

Now repeat this process for all gateways you need to manage and access data through Power Embedded, **especially if you are using a connection to Analysis Services (SSAS).**

{% hint style="warning" %}
**IMPORTANT:** It is not necessary to change the permissions on the data sources, since the Power Embedded user already has administrator permission on the Gateway.

This greatly reduces the effort of having to configure these permissions on each data source, since the number of data sources is much greater than the number of gateways.
{% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.powerembedded.com/administration-portal/users/windows-ad-analysis-services-user.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.