Skip to main content
cancel
Showing results for 
Search instead for 
Did you mean: 

Find everything you need to get certified on Fabric—skills challenges, live sessions, exam prep, role guidance, and more. Get started

Reply
dapster105
Advocate III
Advocate III

Prevent users switching to Edit mode in embedded report

Hi,

 

I'm trying to get my head around security issues when embedding reports.

 

I have sucessfully registered a native app in Azure AD and restricted Power BI permissions to View ones only. So I am confident that my application cannot accidentally or maliciously make edits to reports.

 

I have the embedding of the report working well.

 

However, it seems with only basic knowledge any user viewing the report through my app can alter the embedded report.configuration.permissions to All and then call report.switchMode('edit') to switch to the editing view of the report.

 

Changes cannot be saved so there is no potential damage to the report, however further detail about the report is exposed in Edit view which I don't want to be, e.g. fieldnames.

 

So my questions are:

 

1. Why does the API allow the switchMode when App permissions are off?

 

2. Is there any way to prevent this being done via console? (I'm assuming not)

 

3. What is the worst a malicious user could do / discover just by stealing the embed token plainly visible in the javascript?

 

4. Is there a better way of conrolling whether my app users are allowed to change filters, switch to edit mode etc. etc if I don't want them to?

 

Thanks!

Tim

1 ACCEPTED SOLUTION
v-ljerr-msft
Employee
Employee

Hi @dapster105,

However, it seems with only basic knowledge any user viewing the report through my app can alter the embedded report.configuration.permissions to All and then call report.switchMode('edit') to switch to the editing view of the report.

I agree that there'll be some potential risks in this scenario. I would suggest you create a new issue here to see if the professional engineers have an alternative solution, and make a plan to enhance the sdk on this feature. Smiley Happy

 

Regards

View solution in original post

1 REPLY 1
v-ljerr-msft
Employee
Employee

Hi @dapster105,

However, it seems with only basic knowledge any user viewing the report through my app can alter the embedded report.configuration.permissions to All and then call report.switchMode('edit') to switch to the editing view of the report.

I agree that there'll be some potential risks in this scenario. I would suggest you create a new issue here to see if the professional engineers have an alternative solution, and make a plan to enhance the sdk on this feature. Smiley Happy

 

Regards

Helpful resources

Announcements
Europe Fabric Conference

Europe’s largest Microsoft Fabric Community Conference

Join the community in Stockholm for expert Microsoft Fabric learning including a very exciting keynote from Arun Ulag, Corporate Vice President, Azure Data.

Power BI Carousel June 2024

Power BI Monthly Update - June 2024

Check out the June 2024 Power BI update to learn about new features.

RTI Forums Carousel3

New forum boards available in Real-Time Intelligence.

Ask questions in Eventhouse and KQL, Eventstream, and Reflex.

Top Solution Authors