An early Christmas present in my inbox was the announcement that Power BI Embedded Row Level Security was quietly completed in Dec. The documentation also popped up a few days ago. An early criticism of Power BI Embedded was that you couldn't really use it in customer portals because it was not possible to filter the data shown to the customer. It was an all-or-nothing affair which rendered it unusable in any scenario where you needed to present different subsets of the data depending on who was viewing it.
How to enable Power BI Embedded Row Level Security
Part 1: Roles in the Power BI Model
This works in two parts - first in the Power BI model, the procedure for creating security is the same as for normal Power BI RLS implementation. Firstly create roles to define the groups of people you want to apply filters to. Then for each role create a filter on a target table using the USERNAME() function:
How you manage the application of the security is up to you - either having intermediary tables that indirectly filter data, or simple direct filters on data tables - depends on your actual requirements.
Part 2: Apptoken in the Web App
In an Enterprise scenario, the USERNAME() function equates to a Windows username. This obviously doesn't apply in the Power BI Embedded world as your report consumer is outside your corporate network.
In this case the USERNAME() can be fed in via the apptoken that allows your web app to communicate with the Power BI service. An example (lifted from the Power BI blog) is below:
By modifying the code of your Web App you can dynamically set the username based on your Web App's own login system. As long as that translates properly to the filters you want your role to apply in the model then you have now got Power BI Embedded Row Level Security!
For the full documentation see here.