PBI OLS Dataset Enricher App
The PBI OLS Dataset Enricher app repairs the lineage gap caused by Power BI's Object Level Security (OLS), which prevents Atlan's native crawler from retrieving PBI table metadata. It reads a BIM file exported from the Power BI Semantic Model and creates the missing Power BI tables, columns, column data types, and lineage processes, both upstream to the Data Warehouse and downstream to the PBI Dataset. This reference provides complete configuration details for the PBI OLS Dataset Enricher app.
Access
The PBI OLS Dataset Enricher app isn't enabled by default. To use this app, contact Atlan support and request it be added to your tenant.
Prerequisites
Before you begin, make sure you have:
- Tabular Editor installed and available to run a script that extracts the BIM file from the Power BI Semantic Model.
- A Service Principal to authenticate Tabular Editor with the PBI workspace and Semantic Model.
- A Premium Capacity or Fabric workspace so Tabular Editor can connect to the Semantic Model.
- An AWS S3 bucket where the extracted BIM file is uploaded and from which the workflow reads it.
Configuration
The following fields control where the workflow reads the BIM file from and how it's associated with your Power BI connection in Atlan.
Workflow name
Specifies a unique and descriptive name to identify the workflow in Atlan. This name appears in the workflow list and helps distinguish it from other lineage workflows.
Example:
pbi-ols-enricher-sales-workspace
Connection
Select the Power BI connection from the dropdown. The app uses this to associate the created tables, columns, and lineage processes with the correct PBI connection in Atlan.
The selected connection must already exist in Atlan and correspond to the Power BI workspace containing the Semantic Model you're enriching.
Source
The app retrieves the BIM file from an AWS S3 bucket. Configure the S3 access credentials using one of the three authentication methods below.
- User-based (access key)
- Role-based (EC2 instance role)
- Role delegation (cross-account)
Authenticate using an IAM user's access key and secret key. Use this method when Atlan isn't deployed on AWS or when you want to authenticate as a dedicated IAM user.
For detailed information on configuring storage credentials, access methods, and required fields for each provider, see the general Object storage configuration for apps guide, which applies to S3, GCS, and ADLS-based imports.
Attach the IAM policy directly to the EC2 role that Atlan uses in its EKS cluster. No access key or secret is required.
To set up:
- Raise a support ticket to use this authentication option.
- Atlan support attaches your IAM policy to the appropriate EC2 instance role.
No additional fields are required in the app configuration when using this method.
Delegate access to a role in your AWS account that Atlan's node instance role can assume. Use this when the S3 bucket is in a different AWS account from Atlan.
To set up:
- Raise a support ticket to get the ARN of the Node Instance Role for your Atlan EKS cluster.
- Create a new IAM role in your AWS account following the AWS IAM User Guide.
- Attach your IAM policy to this role.
- Create a trust relationship using the policy below, replacing
<atlan_nodeinstance_role_arn>with the ARN provided by Atlan support:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "<atlan_nodeinstance_role_arn>"
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}
- Share with Atlan support:
- The name of the role you created.
- The ID of the AWS account where the role was created.
Prefix (path)
The directory path within the S3 bucket where the BIM file is located. Use forward slashes (/) as path separators. If left blank, the workflow searches from the root of the bucket.
Example:
exports/sales-workspace/2024-01