Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Get Fabric Certified for FREE during Fabric Data Days. Don't miss your chance! Request now

0
nach_pbi

Why is end-user allowed to change the sensitivity label when creating a report using live connection

Submitted by on ‎04-12-2023 05:37 AM

I have a dataset that has sensitivity label applied to it called `Confidential - Internal Only`.

 

In admin portal I have enabled `Apply sensitivity labels from data sources to their data in Power BI` and `Automatically apply sensitivity labels to downstream content`. The test user is member of  `Allow users to apply sensitivity labels for content`.

 

When the test user creates a new report via the Power BI service, then the dataset's sensitivity label is inherited by the new report.

 

However, when new report is created via the Power BI Desktop, then the end user can change/downgrade the sensitivity label (as it is a new file). What is the way to ensure that - when a new report is created via Power BI desktop, the dataset sensitivity label that gets auto applied to the report shouldn't be changable.

 

Also, if the end user is not part of `Allow users to apply sensitivity labels for content`, and when end user creates Power BI desktop report, then the dataset label is not applied to the report.

Status: Delivered
See more ideas labeled with:
3 Comments (3 New)
Comments
Anonymous
Not applicable
‎04-12-2023 10:51 PM

Hi @nach_pbi ,

 

Please try it by following the articles below:

Power BI restricts permission to change or remove sensitivity labels from Microsoft Purview Information Protection that have file encryption settings to authorized users only.

Sensitivity label change enforcement - Power BI | Microsoft Learn

 

For more you may also refer to

Enable sensitivity labels in Power BI - Power BI | Microsoft Learn

Sensitivity labels from Microsoft Purview Information Protection in Power BI - Power BI | Microsoft ...

 

Best regards.
Community Support Team_ Caitlyn

nach_pbi
Frequent Visitor
‎04-13-2023 12:13 AM

The end user has `co-author` permission on the label. Yet the end user is able to change the label when creating a new pbix file and connecting to live dataset. Can you test this scenario please?

 

As you know `Co-author` excludes EDITRIGHTSDATA, EXPORT, OWNER. So it shouldn't allow the creator of the new pbix file to change the label when it is pointing to a sensitive dataset.

 

If this is allowed then it means that an end user can create a new pbix, connect to a live dataset which is highly sensitive, change the label of the report to anything, and export the data - effectively this is against the priciples of information protection?

nach_pbi
Frequent Visitor
‎04-14-2023 07:43 AM

Hi @Anonymous  - any update on this please?

Idea Statuses