Data has surpassed Oil as the most valuable commodity. Out of the total world data, 90% of it was collected in the last 2 years and the collection rate is just getting faster. Data navigates via different channels and faces a security challenge at the same time. Business Intelligence and Analytics is one of the most popular & crucial part where data flows seamlessly. Power BI is unquestionably one of the most preferred SAAS(Software as a Service) BI tool used across every domain. One of the important features of Power BI is its ability to maintain different layers of security.
Power BI can get the data from most of the data sources available today. Power BI Desktop, Power BI dataflow, and datamart(new release) are used to connect to the data and carry the necessary transformation for the next steps. Being able to connect to that many data sources add up the challenge for data protection which Power BI have handled very well.
Once the report gets published to one of the workspaces in the cloud the Power BI/Workspace the roles and access can be defines by:
-Workspace Level
The user having access to the Workspace will have pretty much an access to every content published in that workspace (depending on the roles). There are 4 roles defined for the users in the Workspace among which Admin is on top and has the ability to manage other roles.
As you can see the Fig1 above, Workspace Viewer role in the workspace have the least access to the type of contents in the Power BI cloud.
- ‘Viewer’ don’t have access to the Datasets/Dataflow. Viewers don’t have the ability to Publish/Update the workspace app.
- ‘Contributor’ does have slightly higher access than the viewer with an access to the Datasets/Dataflow. They still don’t have the ability to Publish/Update the workspace app.
- ‘Member’ is below the Admin and does enjoy the wide level of access with few limitations.
-Report/Dataset Level
Admin can share the reports to the designated people/groups in this level. In this level, each report access can be managed based on the users and groups. Access to the reports can be managed in a minute level. It provides a good control over the reports in the workspace. Managing the access and defining the role becomes easy for the admin and for the report owner. Selective users or groups can have access to the selective reports in the workspace. This limits the access of the users to the reports which are not meant for them.
When the Admin or report owner provides a ‘Direct Access’ to the report then the access also gets added to the Dataset automatically. The access can be setup by navigating to the settings of the reports and Manage Permissions option as shown in Fig2.
On the next step, you’ll find two ways to share the report.
Direct Access : This option is more applicable for the people or groups for whom the report has been built. After adding the user in the ‘Direct Access’ option, the link of the report can be shared with them. The shared link will only work for the list of the people or groups who have been mentioned in the access list. (Fig3)
Links: Sharing the links is more like for the temporary purpose. Admin will have the ability to create a unique link to the user they’re sharing the report with. That link only works out for them. This is mostly applicable when somebody outside a regular group wants an access to the report for the quick review. Admin can either create a link from ‘Manage Permissions’ option or by directly clicking the share button on the report (Fig4). This option is used mainly to generate the link that can be shared with the users (either for Direct Access or specific people)
While generating the link to share the Admin has the ability provide the level of control over the report/dataset to the end-users as you can see on the Fig4 below (with checkboxes). Also, there’s also an option that lets the Admin to choose with whom they want to share the link with (Fig5)
a) People in your organization: This in general will let everybody in the organization to access the report. This is not usually recommended for the report that needs to be share with only specific people or groups.
b) People with existing access: These are the people mentioned in the ‘Direct Access’. When this option is selected to generate the link then that link will only work out for the people or groups mentioned in the ‘Direct Access’.
c) Specific people: This link sharing option gives the Admin/report owner more control over whom they want want to share the report. The shared link in this option only works for the person or groups for which it’s assigned to.
-Workspace App Level
This is the most common way reports are shared with the end-users. The workspace Admin/Member publish the workspace contents (reports & dashboards) and share it with the end-users with few setups. Only enabled contents are included in the workspace published app. While creating the app, the app publisher can define the access in the ‘Permissions’ section. They can add the users or groups in there and share the link afterwards to the users (Fig6).
The caveat on doing this is the assigned users would be able to view every published report in the app (even if it’s not meant for them). Control of the access over the individual reports are difficult in this process. The common solution would be applying the Row Level Security(RLS) within the report based on different data points.
Summary
This article is focused on data security in the Power BI platform. Power BI itself doesn’t store/host any data*. Power BI sources the data from different data sources and with the proper transformation and applied business requirements delivers it to the end-user. Since the data it’s pulling from the sources is visible in the reports and can be exported, it’s crucial to follow and apply the necessary measures to protect and preserve its integrity. So, data security=reports/datasets/contents security.
