Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

The Power BI Data Visualization World Championships is back! Get ahead of the game and start preparing now! Learn more

Reply
dapster105
Advocate III
Advocate III

Prevent users switching to Edit mode in embedded report

‎01-28-2018 07:05 AM

Hi,

 

I'm trying to get my head around security issues when embedding reports.

 

I have sucessfully registered a native app in Azure AD and restricted Power BI permissions to View ones only. So I am confident that my application cannot accidentally or maliciously make edits to reports.

 

I have the embedding of the report working well.

 

However, it seems with only basic knowledge any user viewing the report through my app can alter the embedded report.configuration.permissions to All and then call report.switchMode('edit') to switch to the editing view of the report.

 

Changes cannot be saved so there is no potential damage to the report, however further detail about the report is exposed in Edit view which I don't want to be, e.g. fieldnames.

 

So my questions are:

 

1. Why does the API allow the switchMode when App permissions are off?

 

2. Is there any way to prevent this being done via console? (I'm assuming not)

 

3. What is the worst a malicious user could do / discover just by stealing the embed token plainly visible in the javascript?

 

4. Is there a better way of conrolling whether my app users are allowed to change filters, switch to edit mode etc. etc if I don't want them to?

 

Thanks!

Tim

Labels:
Message 1 of 2
1,725 Views
1 ACCEPTED SOLUTION
v-ljerr-msft
Microsoft Employee
Microsoft Employee

‎01-29-2018 07:16 PM

Hi @dapster105,

However, it seems with only basic knowledge any user viewing the report through my app can alter the embedded report.configuration.permissions to All and then call report.switchMode('edit') to switch to the editing view of the report.

I agree that there'll be some potential risks in this scenario. I would suggest you create a new issue here to see if the professional engineers have an alternative solution, and make a plan to enhance the sdk on this feature. Smiley Happy

 

Regards

View solution in original post

Message 2 of 2
1,800 Views
1 REPLY 1
v-ljerr-msft
Microsoft Employee
Microsoft Employee

‎01-29-2018 07:16 PM

Hi @dapster105,

However, it seems with only basic knowledge any user viewing the report through my app can alter the embedded report.configuration.permissions to All and then call report.switchMode('edit') to switch to the editing view of the report.

I agree that there'll be some potential risks in this scenario. I would suggest you create a new issue here to see if the professional engineers have an alternative solution, and make a plan to enhance the sdk on this feature. Smiley Happy

 

Regards

Message 2 of 2
1,801 Views

Helpful resources

Announcements
November Power BI Update Carousel

Power BI Monthly Update - November 2025

Check out the November 2025 Power BI update to learn about new features.

Fabric Data Days Carousel

Fabric Data Days

Advance your Data & AI career with 50 days of live learning, contests, hands-on challenges, study groups & certifications and more!

FabCon Atlanta 2026 carousel

FabCon Atlanta 2026

Join us at FabCon Atlanta, March 16-20, for the ultimate Fabric, Power BI, AI and SQL community-led event. Save $200 with code FABCOMM.

View All
Top Solution Authors
View All