Skip to main content
cancel
Showing results for 
Search instead for 
Did you mean: 

Find everything you need to get certified on Fabric—skills challenges, live sessions, exam prep, role guidance, and more. Get started

Reply
jdusek92
Helper IV
Helper IV

What are all the ways to see Underlaying data?

Hello,

I am building HR reports that have an underlying dataset containing highly sensitive personal information.

I want the report viewers to only be able to see the visuals with aggregated data (like averages, ratios ...) - with no possibility to view underlying un-aggregated data.

 

I already know about 3 ways viewers can access this data:

 

  1.  Analyze in excel - could be disabled by unticking jdusek92_0-1625788601565.png

     

  2. Export data settings in Power BI desktop. I don't know what exactly this does, but I always set it to "Don't allow"jdusek92_1-1625788686681.png

     

  3. NEWLY there is a third way: jdusek92_2-1625788762858.png that again allows viewers to see all unaggregated data. I have just discovered that I CANNOT disable this option, but I can partially do it by hiding all the fields and tables in my model:jdusek92_3-1625788865308.png

     

     

 

My questions: Are there any other ways for viewers to see underlying unaggregated data? And how to disable it? How do you deal with this situation?

 

Warm regards,

Jakub

 

1 ACCEPTED SOLUTION
v-easonf-msft
Community Support
Community Support

Hi, @jdusek92 
As mentioned in  service-datasets-build-permissions ,

 

Power BI provides the Build permission as a complement to the existing permissions, Read and Reshare. All users who already had Read permission for datasets via app permissions, sharing, or workspace access at that time also got Build permission for those same datasets. They got Build permission automatically because Read permission already granted them the right to build new content on top of the dataset, by using Analyze in Excel or Export.

With this more granular Build permission, you can choose who can only view the content in the existing report or dashboard and who can create content connected to the underlying datasets.

 

You can remove Build permission. If you do, the people whose permissions you have revoked can still see the report, but can no longer edit the report or export underlying data. Users with only read permission can still export summarized data.

 

 


You  need to check the dataset permissions  and remove build permission for the specified user to restrict their access to the underlying data source.For reports related to datasets, they will also be restricted from using Analyze in excel, export data, download pbix... 

 

Best Regards,
Community Support Team _ Eason

View solution in original post

2 REPLIES 2
v-easonf-msft
Community Support
Community Support

Hi, @jdusek92 
As mentioned in  service-datasets-build-permissions ,

 

Power BI provides the Build permission as a complement to the existing permissions, Read and Reshare. All users who already had Read permission for datasets via app permissions, sharing, or workspace access at that time also got Build permission for those same datasets. They got Build permission automatically because Read permission already granted them the right to build new content on top of the dataset, by using Analyze in Excel or Export.

With this more granular Build permission, you can choose who can only view the content in the existing report or dashboard and who can create content connected to the underlying datasets.

 

You can remove Build permission. If you do, the people whose permissions you have revoked can still see the report, but can no longer edit the report or export underlying data. Users with only read permission can still export summarized data.

 

 


You  need to check the dataset permissions  and remove build permission for the specified user to restrict their access to the underlying data source.For reports related to datasets, they will also be restricted from using Analyze in excel, export data, download pbix... 

 

Best Regards,
Community Support Team _ Eason

collinq
Super User
Super User

Hi @jdusek92 ,

 

In addition to what you have stated, in the Service you have to make sure to not select these options as well when you share the workspace/report.  In fact, for HR reports, we usually only share the APP and keep it locked down.  For example, the APP might look like this (we also share only with individual is possible so we know who has access and nothing is selected so they can't share or get to underlying data.  And then, we make sure that the workspace/report is not sharing either.

This is the APP:

collinq_0-1625853989170.png

 

You may also consider RLS if you really want to get it tightly regulated.

 

To clarify though - if you directly share the .pbix file with users, they will almost surely get to all the underlying data and that is why you should stay in the Service for this type of report.

 

 




Did I answer your question? Mark my post as a solution!

Proud to be a Datanaut!
Private message me for consulting or training needs.




Helpful resources

Announcements
Sept PBI Carousel

Power BI Monthly Update - September 2024

Check out the September 2024 Power BI update to learn about new features.

September Hackathon Carousel

Microsoft Fabric & AI Learning Hackathon

Learn from experts, get hands-on experience, and win awesome prizes.

Sept NL Carousel

Fabric Community Update - September 2024

Find out what's new and trending in the Fabric Community.

Top Solution Authors