Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Enhance your career with this limited time 50% discount on Fabric and Power BI exams. Ends September 15. Request your voucher.

Reply
AlexanderPowBI
Resolver I
Resolver I

RLS workaround - security issues with this solution?

‎11-01-2023 02:00 AM

Hello everyone,

 

I've constructed a report where each "company" can view their measures in comparison to the aggregated measures of all companies within their respective regions and for different attributes. This report encompasses many metrics, and consequently, numerous measures, some of which are quite complex. The report will be embedded to our website, where users will have to log in to view the report, and roles per company_Key which the user belongs to will be set. 

 

When building the report, I had no experience with RLS and I built it with the thought that when using RLS, the measures built to show aggregated data would work well. However, I discovered that when applying RLS, all other data gets hidden which is not related to the specific role. So, this breaks my report as I need to show “My company data” VS “measures with ALL data”.

 

I came up with a trick, to bypass this. I want to know if there is any security issues with this solution, and this is why I have made this post.

 

So what I did was:

  • Created a copy of “Company table” which is disconnected to the rest of the model (View model below)
  • Created two slicers for Company_Key in the report, one using “Copy of CompanyTable” and one using “CompanyTable”
  • Connected the slicers
  • Hid the “real” slicer (Company_Table)
  • Created RLS with Company_Key, using the Copy of CompanyTable.
  • Removed the “analyze in excel” option from the report.

 

Now, when I try this on the power BI web service, it looks that I have achieved what I want. The disconnected company slicer filters the report by being connected to the real slicer, displaying the report in the way I want it. Also, by disabeling "Analyze in excel", the dataset seems to me protected. 

 

However, I am not sure what will happen when we embed this into our website.

 - Will there be any security issues where someone who is tech-savy could find the hidden slicer in some way and reveal other “companys” data ? Or is the slicer 100% not reachable as it is hidden?
- Are there any other issues with this solution? 

 

And here is an overview of what the model looks like:

 

AlexanderPowBI_0-1698828831808.png

 

Thank you!

Message 1 of 4
364 Views
0
3 REPLIES 3
lbendlin
Super User
Super User

‎11-04-2023 06:24 AM

Let a user connect to the dataset via DAX Studio and make sure they don't see the original company table.

Message 2 of 4
326 Views
0
AlexanderPowBI
Resolver I
Resolver I
In response to lbendlin

‎11-05-2023 11:42 PM

Hello and thank you for your reply,

I will check out how to accomplish this, any suggestions on where to read up on this? I have only used DAX studio to connect to desktop versions & gooling i find how to connect it to the power BI service, not embedded versions.
Also, a software developer (with no Power BI knowledge) I asked told me in general, that this may be not safe as data may be acccesable by reverse-engineering the API. Do you know anything about this matter? 

Message 3 of 4
314 Views
0
lbendlin
Super User
Super User
In response to AlexanderPowBI

‎11-06-2023 07:58 AM

There isn't much to it. Connect DAX Studio to your dataset via 

 

Data Source=powerbi://api.powerbi.com/v1.0/myorg/<workspace name>;Initial Catalog=<dataset name>;

 

then evaluate the model and its tables  (partitions and expressions)

Message 4 of 4
306 Views
0

Helpful resources

Announcements
August Power BI Update Carousel

Power BI Monthly Update - August 2025

Check out the August 2025 Power BI update to learn about new features.

August 2025 community update carousel

Fabric Community Update - August 2025

Find out what's new and trending in the Fabric community.

View All