How do you avoid exposing data that's sensitive w...

edwardrmiles · ‎09-15-2016

I'm interested to hear any approaches I can use to avoid exposing data that's sensitive when personally identifiable but analytically interesting when aggregated

It's easy enough to remove or mask user names etc. but when you start applying filters on a set of data it's easy to imagine scenarios problems. For example, say I have HR data with an Average Pay measure, and I add a filter for Department and Role. If there are any roles in a given department being performed by one employee (quite a common scenario) then the Average Pay measure is in fact that individuals pay, and that exposes sensitive data.

Thus far the only solution I have come up with is to add a condition in a measure that returns blank if disticnt count of masked user identifiers is below a threshold (and hiding from report view the column). Something like this:

Average Pay:= IF( DISTINCTCOUNT([MaskedUserId]) < 10, BLANK(), AVERAGE('HrData'[Pay]) )

Does anyone have a more elegant / comprehensive solution? In particular this only works where users aren't allowed to edit the report

Thanks!

v-haibl-msft · ‎09-15-2016

@edwardrmiles

I think you can also try to use Row-level security (RLS). Just give a simple sample as below.

Assuming we have a similar table like below. We can create a calculated column to get the role count in one department.

RoleCount_Per_Depart = 
CALCULATE ( COUNTROWS ( Table1 ), ALLEXCEPT ( Table1, Table1[Department] ) )

Then we can create a non-admin role which can only see the data that belong to those departments which have more than 1 employee.

After publish to PBI Service, we can configure RLS to include ordinary employee into the Non-Admin group. Then employees in this group will not be able to see the data that belong to those departments which have only 1 employee.