Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Register now to learn Fabric in free live sessions led by the best Microsoft experts. From Apr 16 to May 9, in English and Spanish.

Reply
ShaunBrewer
Regular Visitor

Power BI Security question

‎05-25-2018 09:45 AM

Hi,

 

We are looking at rolling out Power BI and the desire is to have super users in seperate divisions building reports.

 

Development in Power BI Desktop - publish to cloud - enterprise gateway to on prem views in SQL Server (Pro licences for users).

 

We are currently using SSRS for reporting and security is handled within SSRS which prevents anyone in one division being able to access data for other divisions.

 

I have been searching for a while today and I do not seem to have identified how I can set up the security that will block the divisional report creators (super users) from accessing other divisions data.

 

If my understanding is correct RLS will only work for read-only users

 

I am not sure if this is possible but could I create divisional views with divisional data connections in the gateway and limit access to those conections?

 

 

 

Please can someone point me at some suggestions as to how to manage the security.

 

Any ideas or pointers greatfully received

 

Shaun

 

Message 1 of 5
1,792 Views
0
1 ACCEPTED SOLUTION
v-piga-msft
Resident Rockstar
Resident Rockstar
In response to ShaunBrewer

‎05-31-2018 06:43 PM

Hi @ShaunBrewer

I don't believe I will have problems with read only users, my concern is with report creators in the seperate divisions, these staff should not have access to other divisions data. However I can't see a way to bock report creators once the access is via the gateway.

 

While these users are internal I can control access to the data by creating divisional views and limiting access to these veiws by AD groups. However I am concerned that once in the cloud and accessing data via the gateway this control is lost?

 

If you have set the limit permission in the database, then when the report creator fetches data from Power BI Desktop, it can only fetch the corresponding data.  When you publish the report to PowerBi Service and configure the gateway. The permissions you have set in SQL Server will not be invalid, because the gateway just refreshes the data.

 

Best Regards,

Cherry

Community Support Team _ Cherry Gao
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

View solution in original post

Message 4 of 5
1,789 Views
4 REPLIES 4
v-piga-msft
Resident Rockstar
Resident Rockstar

‎05-28-2018 07:09 PM

Hi @ShaunBrewer,

 

I have been searching for a while today and I do not seem to have identified how I can set up the security that will block the divisional report creators (super users) from accessing other divisions data.

 

If my understanding is correct RLS will only work for read-only users

 

I am not sure if this is possible but could I create divisional views with divisional data connections in the gateway and limit access to those conections?

 

Your understand should be right that If you publish your Power BI Desktop report to an app workspace within the Power BI service, the roles will be applied to read-only members. 

 

For your scenario, we cannot create divisional views with divisional data connections in the gateway but we may create the view or table in the Database side and assign the access permission.

 

For reference about Power BI RLS, you could have a look at this article.

 

Best Regards,

Cherry

Community Support Team _ Cherry Gao
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.
Message 2 of 5
1,754 Views
ShaunBrewer
Regular Visitor
In response to v-piga-msft

‎05-29-2018 03:00 AM

Sorry if this is a duplicate post - I am trying to reply but the post does not appear - slightly worried there is a delay and several duplicates will appear?

 

Hi Cherry,

 

thank you for your reply.

 

I have re-read the article you linked too, it was one I had looked at before posting, it is very useful.

 

I don't believe I will have problems with read only users, my concern is with report creators in the seperate divisions, these staff should not have access to other divisions data. However I can't see a way to bock report creators once the access is via the gateway.

 

While these users are internal I can control access to the data by creating divisional views and limiting access to these veiws by AD groups. However I am concerned that once in the cloud and accessing data via the gateway this control is lost?

 

Simplistically

 

In SQL Server

 

I can create views for each table and set read access via AD groups

 

e.g. vwTableA_D1

 

   SELECT * FROM TableA WHERE Division = 1

 

Report creators in Division 1 will be in the Divsion 1 AD group with read access to vwTableAD1.

 

My understanding is while the report creator is using Power BI desktop to develop everything is fine, but what happens if they create reports in the cloud or amend reports created in the Desktop tool from the cloud?  i.e. How do I stop a report creator in Divsion 1 accessing Division 2 views?

 

 

Thanks again and sorry if I am missing something.

 

Shaun

Message 3 of 5
1,733 Views
0
v-piga-msft
Resident Rockstar
Resident Rockstar
In response to ShaunBrewer

‎05-31-2018 06:43 PM

Hi @ShaunBrewer

I don't believe I will have problems with read only users, my concern is with report creators in the seperate divisions, these staff should not have access to other divisions data. However I can't see a way to bock report creators once the access is via the gateway.

 

While these users are internal I can control access to the data by creating divisional views and limiting access to these veiws by AD groups. However I am concerned that once in the cloud and accessing data via the gateway this control is lost?

 

If you have set the limit permission in the database, then when the report creator fetches data from Power BI Desktop, it can only fetch the corresponding data.  When you publish the report to PowerBi Service and configure the gateway. The permissions you have set in SQL Server will not be invalid, because the gateway just refreshes the data.

 

Best Regards,

Cherry

Community Support Team _ Cherry Gao
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.
Message 4 of 5
1,790 Views
ShaunBrewer
Regular Visitor
In response to v-piga-msft

‎06-05-2018 08:31 AM

After experimenting this makes sense.

 

I had assumed you could develop reports in the cloud using the gateway as a power user, however it appears you can only develop the report with the Desktop tool and therefore permissions are handled normally not using the gateway credentials.

 

Thanks

 

Shaun

Message 5 of 5
1,712 Views
0

Helpful resources

Announcements
Microsoft Fabric Learn Together

Microsoft Fabric Learn Together

Covering the world! 9:00-10:30 AM Sydney, 4:00-5:30 PM CET (Paris/Berlin), 7:00-8:30 PM Mexico City

PBI_APRIL_CAROUSEL1

Power BI Monthly Update - April 2024

Check out the April 2024 Power BI update to learn about new features.

April Fabric Community Update

Fabric Community Update - April 2024

Find out what's new and trending in the Fabric Community.

View All