How can we improve Power BI?

Security - Ability to maintain source security for reports published on BI Sites

The general requirement is that visualizations (Power View, SSRS etc...) must not circumvent existing policies, or introduce yet another set of security policies on top of those already implemented at the source.

* For example, a visualization of sales data needs to reflect the policy that account managers can only read sales data for their region.
* For performance reasons, this is enforced at the source by injecting predicates into the query based on the end users identity. If identities for end users are not passed down the process chain into the data layer, it leaves us little option but to publish individual reports for every region, which results in an explosion of complexity and numbers of reports, or move the whole model to BISM and manage the policy in yet another place (namely the BISM model).

Impact
blocking migration to SPO/BI Sites. At least 412 Site Collections with more than 600 Power Views. Impacting Adoption or migration for majority of BPUs - e.g. Finance, LCA, HR, etc

899 votes
Sign in
Check!
(thinking…)
Reset
or sign in with
  • facebook
  • google
    Password icon
    I agree to the terms of service
    Signed in as (Sign out)

    We’ll send you updates on this idea

    Ramu KodemalaRamu Kodemala shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →
    under review  ·  Sirui SunAdminSirui Sun (Admin, Microsoft Power BI) responded  · 

    Hey all!

    We’ve continued to make progress here, so I wanted to update this thread with our current capabilities for maintaining security on dashboards/reports.

    As always, all of this information can be found in our Row-Level Security (RLS)documentation: https://powerbi.microsoft.com/en-us/documentation/powerbi-admin-rls/

    > If you have set up RLS in Analysis Services, Power BI will send the signed-in user’s credentials to Analysis Services, and respect the RLS rules set up on the on-premises model.

    > Separately, you can set up RLS in Power BI for data sources that you import or connect to via DirectQuery. This process starts in PBI Desktop, where you define roles, and write DAX to constrain what data these roles can see. As part of this process, can you use the UserPrincipalName() DAX function to get the current signed in user’s UPN (e.g. joe@contoso.com). Then, once you publish to service, you can assign users to these roles.

    Does the above meet your requirements? Please let us know via comments or e-mail.

    Those of you who requested that the identity of the signed in Power BI user be pass through to Azure SQL, SQL DB, DWH, etc.: we hear you – that is under consideration.

    Thanks,
    -Sirui

    89 comments

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      I agree to the terms of service
      Signed in as (Sign out)
      Submitting...
      • Andrea LandwehrAndrea Landwehr commented  ·   ·  Flag as inappropriate

        Agreed - we are also looking at RLS and through desktop, definately slows things down. There needs to be better ways to link back to DB.

      • Connie CorredorConnie Corredor commented  ·   ·  Flag as inappropriate

        We really need the ability to connect to an SQL database with AD authentication for a live gateway connection when publishing to the web. PowerBI has this feature on the desktop, it should work on the web as well.

      • PlymouthRockPlymouthRock commented  ·   ·  Flag as inappropriate

        We've implemented RLS using DAX. The queries run 10 times slower. It appears that all of the data is returned to the client and then DAX filters it. To get the performance we need, we have to have the identity passed through to SQL Azure RLS via session_context.

      • PlymouthRockPlymouthRock commented  ·   ·  Flag as inappropriate

        Hi Sirui,

        Any update on identity pass through to Azure SQL. We know it is under consideration, but we need to know if it will be implemented.

        Thanks,

        Tim

      • Neil PalmerNeil Palmer commented  ·   ·  Flag as inappropriate

        I'd love to see this expanded to respect the SQL security using pass through auth and Azure Active Directory. When using services like SQL Azure, the security model can then be built in the database - agnostic of the reporting tool on top.

      • JonathanJonathan commented  ·   ·  Flag as inappropriate

        If I build a single report to which is applied some Row-level security, does the end-user need to buy some « application »/ « plugin » to visualize only the data he is allowed to see ?

        If not, how can we pass along his identity to the back end ?

      • PlymouthRockPlymouthRock commented  ·   ·  Flag as inappropriate

        This is also a deal breaker for us. We currently are working on a Multi-Tennant enterprise app using RLS in SQL Azure. All of our security is defined with Security Predicates in the database and we are adding the User ID in session context in our web application.

        We have started testing PowerBI embedded with Direct Query. With the ability to set User data in the Access Token, it shouldn't be that difficult to have PowerBI set session context after it connects to the database.

        It should be configurable to allow the developer to set any session context variable they choose.

        This would keep security where it belongs in the SQL database.

      • PieterPieter commented  ·   ·  Flag as inappropriate

        It should be possible to use the identity of the logged on user in both Power BI as well as in SQL DB/DWH etc.

      • vijayvijay commented  ·   ·  Flag as inappropriate

        RLS work in Power BI portal but does not work when user exports data to analyze in Excel.

      • Anonymous commented  ·   ·  Flag as inappropriate

        Why was this not fully developed in advance of the deployment of "Analyze in Excel"? Seems like a gaping security hole has been created by allowing users access to source level data without a good method of restricting access for some but not all, especially if primary distribution means are via publication to group workspaces where RLS currently does not work.

      • KevinKevin commented  ·   ·  Flag as inappropriate

        Is this being considered? Hoping for an update as this is mission critical for us. Won't be pursuing Power BI without it.

      • Jarkko SuominenJarkko Suominen commented  ·   ·  Flag as inappropriate

        This is definitely going the right direction. At least in the preview version we're able to add members to roles from our own organization. Will there be possibility to add members to roles also outside my own organization? That would be great addition to this!

      • Anonymous commented  ·   ·  Flag as inappropriate

        Without being able to pull data based on user, this product while being interesting is totally useless.

      • Anonymous commented  ·   ·  Flag as inappropriate

        Great work on RLS, but will we be able to dynamically filter data based on logged on user. i.e. set up a role with a large group of user in and then use a DAX statement using Username() or something like to filter data. Although username in PBI desktop returns AD account in Power BI service its a GUID string and most posts say not to use this. Noticed this suggestion that username() returns and effective name, which if done would solve the issue. https://ideas.powerbi.com/forums/265200-power-bi-ideas/suggestions/10312119-power-bi-service-return-effective-user-name-for-us . This way we can provide personal BI data to large groups of staff without having to create lots of individual roles.

      • GautamGautam commented  ·   ·  Flag as inappropriate

        We are unable to sync Roles and Membership from Azure AD
        We have 800+ site collections in our organization. Each site has one or more Site Managers. We intend to build a Site Manager Dashboard to help them monitor and manage site usage. The idea is to exploit the RLS feature so that each Site Manager is able to view the Dashboard data for his site only. The Site Managers can be constantly added or removed across sites. We tried using the new Roles Feature within PowerBI, so that each role maps to one site, and the Site Managers are added as members into those Roles. The challenge that we are facing is ensuring the Roles-Members mapping stays up-to-date in real-time (ideally). So, for instance when a person is provided Manager access on a site in Sharepoint, then he automatically gets membership into the corresponding Role in PowerBI. Is there some API exposed by PowerBI using which we could run a script when a new manager is added/removed for a site? Can anybody suggest a better solution? We are aware that Roles in PowerBI allow Active Directory Groups to be added, but defining AD Groups for each of our 800+ sites sounds like a maintenance nightmare. Is the PowerBI team considering any feature/API to help manage such a situation? We strongly believe that the scenario is NOT unique to us and will be faced by any big enterprise deploying PowerBI with Sharepoint.

      • Anonymous commented  ·   ·  Flag as inappropriate

        Still looking to see if there is a general solution for this without SSAS. This is crucial to implementation and may ultimately be the deal breaker that moves us to another platform.

      ← Previous 1 3 4 5

      Feedback and Knowledge Base

      Ready to get started?

      Try new features of Power BI today by signing up and learn more about our powerful suite of apps.