Evaluating Security of Access to Power BI

Power BI service development is rather fast with fixes, changes and new features introduced monthly (sometimes even faster). Therefore, all information in this blog post is valid as of February 2016. I’ll update this blog soon with latest features such as role security.

Power BI offers several ways to share and collaborate on reports and dashboards. Sharing a dashboard is very easy to do but it’s also important to understand how access to objects and data is granted when we click the Share button. This blog should clarify that area.

For better understanding I divided the blog into 2 parts – access to objects (dashboards, reports, tiles) and access to data itself. Let’s start with the first one.

Access to Objects

In order to access any shared content in Power BI you need to have a Power BI account (Free/Pro, depending on features used by shared content).

In Power BI you can share dashboards, reports and tiles in 4 different ways:

Other people can When you: Share a dashboard When you: Create a dashboard in a group (only in Pro) When you: Publish a content pack (only in Pro) When you: Publish to the web
View and interact

Yes

yes

yes

yes

Edit the original

No

yes

no

no

Create their own copies

No

yes

yes

no

Share with others

colleagues, yes. others, no

yes

no

no

(Source: https://powerbi.microsoft.com/en-us/documentation/powerbi-service-how-should-i-share-my-dashboard/)

  1. Share a Dashboard

Share a dashboard by entering email address:

  • share with colleagues with/without reshare option
  • share with external users (keep in mind that only work/school email addresses are supported for creating Power BI account)
  • share with members of a distribution group (up to a maximum of 500 members) by entering the email address associated with the distribution group
  • send a direct link to the dashboard by copying the URL if your colleagues already have access to the dashboard (in any way mentioned in the table above)

Share with external users
At this time, external sharing doesn’t work with role- and row-level security settings on SSAS Tabular models on-premises. External users can’t see any data if role- or row-level security is implemented on these models.

There are several differences when sharing a dashboard/report with external users:

  • it has the same Power BI account licensing requirements as sharing content within your organization
  • after sign in, they will see the shared dashboard in its own browser window without the left navigation pane, not in their usual Power BI portal
  • they have to bookmark the link to access the dashboard in the future
  • they can’t edit any content in the dashboard or report
  • they can interact with the charts in the reports (cross-highlight) and change any filters/slicers available on the reports connected to the dashboard
  • they have to use the same email address to access the dashboard
  • only your direct recipients can see the shared dashboard
  • you can see all the external users who have access to your dashboard marked as “Guest” in the “Shared with” tab

Reshare with colleagues
Resharing allows your colleagues to forward the email invitation to others in your organization (the invitation expires after one month). The following rules apply:

  • colleagues can reshare through the Power BI service and mobile apps
  • the owner of the dashboard can turn off resharing and also revoke resharing on an individual basis
  • to allow your colleagues to reshare, check the option “Allow recipients to share your dashboard”
  • only colleagues in your organization (with the same email domain or domain registered within the tenant) can reshare the dashboard (people outside your organization can view the dashboard but not reshare it)
  1. Create a Dashboard in a Group

Groups are only available with Power BI Pro.

Power BI Groups allow users to quickly and easily share their dashboards, reports, and data models with established teams.

  • equivalent to Office 365 Universal Groups (uses the same authentication mechanisms used in AAD to secure data)
  • you can create groups in Power BI or create a Universal Group in Office 365 admin center; either has the same result
  • data shared with Power BI Groups follows the same security consideration as any shared data in Power BI
  • when you’re a member of a group, you can create a dashboard in the group workspace
  • you can share dashboards with colleagues outside the group (it works the same as sharing a dashboard with colleagues)
  1. Publish a Content Pack

Organizational content packs are only available when you and your colleagues have Power BI Pro.

Create a dashboard with its reports and datasets, and then publish them all together as a content pack — either for the whole organization or for those in a specific security group or distribution list.

  • content packs are available in the Content Pack Library for your organization
  • as a member of the group, you can create your own dashboards/reports from the content pack (then you’ll have a personalized version of the content pack)
  1. Publish to the Web

Publish Power BI reports to the web – embed interactive visuals in blog posts, websites, social media, and other online communications, on any device. Publishing to web is available on reports in your personal workspace that you can edit. You can’t publish reports to the web that were shared with you.

Admin Portal – February Service Update

Admin portal is a new way of easy user management with a link to the O365 Admin Center. This is just the first set of controls planned for release. The Admin Portal has two administrative areas:

  • Manage Users, allows you to quickly manage users, admins, and groups from the Office 365 Admin Center
  • Tenant Settings, allows you to have more control over what features can be made available to your organization – there are currently 3 settings:
    • Publish to the web – When you disable this option, existing Publish to web embed codes will stop working, and users will not be able to create any new embed codes. However, users who created embed codes using Publish to web are still able to manage the embed codes they previously created.
    • Publish content packs to the entire organization – When you disable this option, no new content packs can be created but previously published ones will still continue to work as before.
    • Share dashboards externally – When you disable this option, users will get an error when they enter email addresses for an external tenant. Previously shared dashboards will stop working. When enabled again, previously shared dashboards will start working again.

Access to Data

Note: All data requested and transmitted by Power BI is encrypted in transit using HTTPS to connect from the data source to the Power BI service.

When a user shares queries, dashboards, reports, or any visualization, access to that data and those visualizations is dependent on whether the underlying data sources support Role Level Security (RLS):

  • For non-RLS enabled data sources, if a dashboard, report, or data model is shared with other users through Power BI, the data is then available for users with whom it is shared to view and interact with. Power BI does not re-authenticate users against the original source of the data; once data is uploaded into Power BI, the user who authenticated against the source data is responsible for managing which other users and groups can view the data.
  • For RLS-capable data source, only dashboard data is cached in Power BI. Each time a report or dataset is viewed or accessed in Power BI that uses data from the RLS-capable data source, the Power BI service accesses the data source to get data based on the user’s credentials, and if sufficient permissions exist, the data is loaded into the report or data model for that user. If authentication fails, the user will see an error.
    The only RLS-capable data source at this time is SQL Server Analysis Services:
    For organizations that use on-premises SSAS, Power BI offers the Power BI Analysis Services Connector (which is a Gateway). The Power BI Analysis Services Connector can enforce role- and row-level security on data sources (RLS).

Power BI Credentials

Users login to Power BI using an email address; when a user attempts to connect to a data resource, Power BI passes the Power BI login email address as credentials.

Domain connections
For domain-connected resources (on-premises or cloud-based), the login email is matched with a User Principal Name (UPN) by the directory service to determine whether sufficient credentials exist to allow access. When using work-based email addresses to login to Power BI, the mapping can occur seamlessly; when not using work-based email addresses, directory mapping must be established in order to allow access to on-premises resources with Power BI login credentials.

Non-domain connections
For data connections that are not domain-joined and RLS-capable, the user must provide credentials during the connection sequence, which Power BI then passes to the data source to establish the connection.

Connecting frequently to the same data sources with non-domain credentials
Power BI offers the Power BI Personal Gateway, which is a feature that lets users create credentials for multiple different data sources, then automatically use those credentials when subsequently accessing each of those data sources.

Conclusion and Resources

This blog summarized several different approaches to accessing data and content in Power BI service. It relies on the following resources where you will also find more detailed information and steps how to share a report, create a group, etc.:

Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.
You need to agree with the terms to proceed