One of the questions I get regularly now that SQL Server supports RLS is how can to leverage this with SSAS. What many don’t know is that SSAS already supports this, even for Direct Query mode. So in this case you could have something like the following architecture: Dashboards and reports in Power BI that connect to an on premise SSAS server running DirectQuery mode connecting to SQL Server. All with the same username flowing from Power BI all the way down to SQL Server.
Let’s see how this works in SSAS, the Power BI and gateway part work as usual, no changes are needed there. The example below is using Tabular DirectQuery but the same works for Multidimensional ROLAP.
I have this simple model with just 1 table set to DirectQuery mode:
I am using the service account to connect to the data source (go to Existing connections, Edit Datasouce, Impersonations to get this dialog)
(By the way you should never use the service account as impersonation setting in any production environment, I just use it here as I am lazy 
)
Now if I connect to this model with Excel and run profiler on SQL Server we can see the user that is running the queries to SQL Server and logging into SQL using the service account SSAS is running under:
Now instead of the Service Account I want to use the credentials of the user who is connecting to my model and use that to connect to the SQL database. You cannot do this in the SSDT UI. Instead I publish the model to my server and open the Connection Dialog in SSMS:
Again this is set to impersonate the service account:
PS: to get this to work in the new 1400 compat level you have to enable the legacy datasources under options and not use the new Power Query import features
Clicking there it will give me a new option that I didn’t have in SSDT that allows me to use the credentials of the current user:
I press OK and connect again with Excel to my model, now I will be able to see that my username is being used to connect to SQL Server:
and that’s it, now SSAS passes on the credentials of the current user. If you have RLS configured at your SQL Server SQL database it will now only return the rows approved for this user. This option works for both Multi dimensional and Tabular.
Of course passing along credentials between machines can also complicate matters, in my scenario things are easy as I have all services on a single box but in a real world scenario SSAS and the SQL database system will not be on the same machine. In those cases you will need to configure Kerberos delegation between the two machines. Below you can find multiple blog post of SSAS and similar services that should give you a starting point on how to configure this:
https://msdn.microsoft.com/en-us/library/dn194199.aspx
http://sqlmag.com/sql-server-reporting-services/implement-kerberos-delegation-ssrs
Thanks for the info. I believe you can change the impersonation info in the DirectQuery Options section of the Deployment properties of the Tabular database in SSDT.
https://uploads.disquscdn.com/images/aae2e591dd25b94a784c1377d013dd8393f9cac14c6b494feb67c2ad5d249fb6.jpg