Skip to main content

Power BI

Under Review

Security - Ability to maintain source security for reports published on BI Sites

Vote (1834) Share
Ramu Kodemala's profile image

Ramu Kodemala on 03 Mar 2015 07:53:46

The general requirement is that visualizations (Power View, SSRS etc...) must not circumvent existing policies, or introduce yet another set of security policies on top of those already implemented at the source.

* For example, a visualization of sales data needs to reflect the policy that account managers can only read sales data for their region.
* For performance reasons, this is enforced at the source by injecting predicates into the query based on the end users identity. If identities for end users are not passed down the process chain into the data layer, it leaves us little option but to publish individual reports for every region, which results in an explosion of complexity and numbers of reports, or move the whole model to BISM and manage the policy in yet another place (namely the BISM model).

Impact
blocking migration to SPO/BI Sites. At least 412 Site Collections with more than 600 Power Views. Impacting Adoption or migration for majority of BPUs - e.g. Finance, LCA, HR, etc

Administrator on 16 Aug 2020 02:15:30

Hey all! We've continued to make progress here, so I wanted to update this thread with our current capabilities for maintaining security on dashboards/reports. As always, all of this information can be found in our Row-Level Security (RLS)documentation: https://powerbi.microsoft.com/en-us/documentation/powerbi-admin-rls/ > If you have set up RLS in Analysis Services, Power BI will send the signed-in user's credentials to Analysis Services, and respect the RLS rules set up on the on-premises model. > Separately, you can set up RLS in Power BI for data sources that you import or connect to via DirectQuery. This process starts in PBI Desktop, where you define roles, and write DAX to constrain what data these roles can see. As part of this process, can you use the UserPrincipalName () DAX function to get the current signed in user's UPN (e.g. joe@contoso.com). Then, once you publish to service, you can assign users to these roles. Does the above meet your requirements? Please let us know via comments or e-mail. Those of you who requested that the identity of the signed in Power BI user be pass through to Azure SQL, SQL DB, DWH, etc.: we hear you - that is under consideration. Thanks, -Sirui

Comments (144)
Ramu Kodemala's profile image Profile Picture

Mark Cooper on 16 Aug 2020 03:52:39

RE: Security - Ability to maintain source security for reports published on BI Sites

'+1 for the ETA Please as this is preventing us from starting a major project and also because I used THREE whole votes :D

Ramu Kodemala's profile image Profile Picture

Maarten van den Dool on 16 Aug 2020 03:52:38

RE: Security - Ability to maintain source security for reports published on BI Sites

to use it for the company we need the possibility of default settings of a filter, depending on the user login, in SSRS we can handle that, but not in power BI

Ramu Kodemala's profile image Profile Picture

JD on 16 Aug 2020 03:52:37

RE: Security - Ability to maintain source security for reports published on BI Sites

To clarify, we don't need a security trimmed view... just a filter that returns the current user's name or UPN.

Ramu Kodemala's profile image Profile Picture

Václav Němec on 16 Aug 2020 03:52:37

RE: Security - Ability to maintain source security for reports published on BI Sites

to: JD ... I absolutely agree

Ramu Kodemala's profile image Profile Picture

Lara on 16 Aug 2020 03:52:36

RE: Security - Ability to maintain source security for reports published on BI Sites

Any news about this feature?

Ramu Kodemala's profile image Profile Picture

Rodrigo on 16 Aug 2020 03:52:35

RE: Security - Ability to maintain source security for reports published on BI Sites

The previous solution only works for those who have "SQL Server Analysis Services" + Enterprise Gateway.

I't would be great if we could send dashboards with some filters applied, but not allowing the end user to change those filters.

A lot of companies need this feature before they can apply Power BI as a business tool.

Is there a plan to implement this anytime soon???

Ramu Kodemala's profile image Profile Picture

Power BI User on 16 Aug 2020 03:52:34

RE: Security - Ability to maintain source security for reports published on BI Sites

It would be great to be able to implement the equivalent of RLS for Data sources such as Salesforce.com which would be based on the users login credentials that would check a user ID and only return records that match the user. Currently I have to create separate set of reports for each sales person (24+) and set the filters so that they only see their own data.

Ramu Kodemala's profile image Profile Picture

Sebastian Garces on 16 Aug 2020 03:52:24

RE: Security - Ability to maintain source security for reports published on BI Sites

You can do that with SSAS Tabular model and row-security model. Follow this link to do that https://msdn.microsoft.com/en-us/library/hh479759%28v=sql.120%29.aspx

Ramu Kodemala's profile image Profile Picture

Onboarding User on 16 Aug 2020 03:52:24

RE: Security - Ability to maintain source security for reports published on BI Sites

Would greatly ease the deployment of reports and dashboards to users assigned to different accounts or geographical area and filter data only relevant to their filed without having to manage separate reports for each user.

Ramu Kodemala's profile image Profile Picture

Brad on 16 Aug 2020 03:52:23

RE: Security - Ability to maintain source security for reports published on BI Sites

Basically, I'd like to see a 'Report-Creator' filter. As in, I apply the filter on my end but the Dashboard User cannot change it.