Solved: Managing data export permissions: Best practices a...

ogureisuo · ‎10-30-2024

Hi All,

I’m currently setting up and testing data export permissions with the goal of having complete control over which users can export data and which cannot. My aim is to effectively implement these permissions to prevent unauthorized data exports.

Observations and Testing Results:

According to the documentation, users assigned only the "Viewer" role should not be able to export data. In theory, this role restriction should limit viewers to viewing data only, without the ability to export. To verify this, I conducted some tests with a user assigned the following permissions: The user has only the Viewer role and does not have build permissions on the dataset.

However, I noticed that this user was still able to download/export the data, despite the expected restrictions. This result seems to contradict the documentation, suggesting that I may be overlooking certain permission settings or interactions that are affecting the user’s ability to export.

Settings
- The user has export rights at the tenant level.
- In the report settings, export permissions are enabled, with options for “Summarized data and data with current layout” selected.

Questions:

How can I better manage user roles for export permissions?
What’s the best approach to clearly separate users who should be able to export data from those who shouldn’t?

I’m hoping this helps clarify the situation and any overlooked settings, and I would appreciate any insights you can share. Thank you!

SaiTejaTalasila · ‎11-01-2024

Hi @ogureisuo ,

Here are some steps and best practices to help you better manage user roles for export permissions and ensure that only authorized users can export data:

1. Review Tenant-Level Permissions

• Export Rights at Tenant Level: Ensure that only users who absolutely need export capabilities have these rights at the tenant level. This setting can override other permissions and allow users to export data even if their role should restrict it.

2. Adjust Report-Level Settings

• Report Settings: Double-check the export permissions in the report settings. If "Summarized data and data with current layout" is enabled, consider whether this is necessary for all users or if it can be restricted further.

3. Use Role-Based Access Control (RBAC):

• Assign roles based on the principle of least privilege, ensuring users only have the permissions necessary for their tasks.

• Regularly review and update roles to reflect changes in job responsibilities.

4. Implement Conditional Access Policies:

• Use Azure AD Conditional Access to enforce policies that require multi- factor authentication (MFA) for sensitive operations like data export.

• Set up conditions based on user location, device compliance, and risk levels.

I hope it will be helpful.

Thanks,

Sai Teja

View solution in original post

SaiTejaTalasila · ‎11-01-2024

Hi @ogureisuo ,

Here are some steps and best practices to help you better manage user roles for export permissions and ensure that only authorized users can export data:

1. Review Tenant-Level Permissions

• Export Rights at Tenant Level: Ensure that only users who absolutely need export capabilities have these rights at the tenant level. This setting can override other permissions and allow users to export data even if their role should restrict it.

2. Adjust Report-Level Settings

• Report Settings: Double-check the export permissions in the report settings. If "Summarized data and data with current layout" is enabled, consider whether this is necessary for all users or if it can be restricted further.

3. Use Role-Based Access Control (RBAC):

• Assign roles based on the principle of least privilege, ensuring users only have the permissions necessary for their tasks.

• Regularly review and update roles to reflect changes in job responsibilities.

4. Implement Conditional Access Policies:

• Use Azure AD Conditional Access to enforce policies that require multi- factor authentication (MFA) for sensitive operations like data export.

• Set up conditions based on user location, device compliance, and risk levels.

I hope it will be helpful.

Thanks,

Sai Teja

Anonymous · ‎11-01-2024

Hi @ogureisuo, hello lbendlin, thank you for your prompt reply!

As far as I know, there is no specific configuration about preventing separate users to export one report.

As you mentioned, as long as a user has workspace viewer permission, they can download and export summarized data.

However, if you want users with the Viewer role to Analyze in Excel or export underlying data from the datasets in the workspace, you need to give them Build permission on the appropriate datasets.

Summarized data this refers to the data visible in the visual, which users can export.
Underlying data can see the data in the visual and other data from the semantic model.

Additionally, as lbendlin pointed out, even though we cannot prevent viewer users from exporting data, we can apply sensitivity labels to protect the data even after it has been downloaded.

Quote from Microsoft:

If the sensitivity label has protection settings, Power BI applies these protection settings when exporting report data to Excel, PowerPoint, or PDF files. Only authorized users are able to open protected files.

More information for your reference:

Roles in workspaces in Power BI - Power BI | Microsoft Learn

Export data from a Power BI visualization - Power BI | Microsoft Learn

Best regards,

Joyce

If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.