According to the session policy, the “protect” capability will only work on a data that is not labelled. An existing label cannot be overridden in the Power BI tool.
Did you know that the Cloud app security is functional only on PowerPoint, Excel, and PDF files?
For an in-depth understanding of the Power BI security framework, lets look at the tool architecture.
The Power BI tool architecture is composed of two clusters: the Web Front End (WFE) and the Back-End cluster. The Power BI tool uses Azure Active Directory (AAD) to manage and store user credentials in Azure Blob. Data and metadata are stored and managed in Azure SQL Database.
Web front-end cluster– The WFE cluster shoots the initial HTML page contents for an onsite load of users’ browsers to support the Power BI tool’s initial connection and authentication process. Azure Active Directory (Azure AD) is used to verify the user authentication and allow the subsequent user access to the Power BI back-end service. The Azure Traffic Manager does this user authentication, which communicates with the client’s DNS service as soon as a user attempts to connect to the Power BI service.
Back-end clusters are made of several virtual machines that are combined into multiple resizable-scale sets. These sets are built to execute specific tasks and manage resources, including service buses, SQL databases, caches, and other critical cloud components. All the back-end clusters are used to host tenant data and are individually referred to as the tenant’s home cluster. Global Service provides the information of an authenticated user’s home cluster, which is used by the WFE cluster to send requests to the tenant’s home cluster. The tenant data and metadata are stored within-cluster limits, which does not include data replication to another back-end cluster in a paired Azure region. The other back-end cluster works as a failsafe cluster to brace for a regional outage.
It is a collection of apps that were built primarily for Windows, Android, and iOS. The Power BI mobile apps can be broadly classified into two categories:
All the Power BI Mobile applications use the same connection and authentication sequences of users while communicating with the Power BI service. The Power BI mobile applications for Android and iOS create a browser session within the application itself, while the application meant for Windows mediates via a broker to communicate with Power BI.
The application and device data –Telemetry gathers mobile app usage statistics and other similar data apart from customer data. The data is then conveyed to services to monitor user activities with sensitive data. The Power BI mobile application stores data on the device pertaining to the usage of the app:
Implementation of the Azure AD Conditional Access feature– Clients can activate a premium subscription to leverage the Azure AD Conditional Access. This feature boosts security by setting the following measures:
Power BI data security for workspaces and apps creations:– Post exporting data from Power BI desktop in the form of workbooks, reports, data dashboards, dataflows, datasets, clients can add user groups for security, Office 365 groups, individuals as admins, contributors, and viewers. These members are then allocated their roles that control their actions with the exported data. This option can be rolled into a single package designed as an app and circulated or published across the entire organization or across specific groups of people. However, this package can include only workbooks, reports, and dashboards, and clients can make use of the “included in-app” option to publish specific data sets among the exported data. Clients can use the “build permission” option through Power BI permission levels to allow users secure access to the app’s datasets. They can spot these datasets while they search for shared datasets. The procedure of creating apps is initiated within workspaces by means of effective collaboration on the Power BI content and then displaying the finished app across the organization. These apps are known to simplify the process of managing permissions.
The back-end cluster of the Power BI tool uses row-level security (RLS) as a security technique to avert any unwanted access to data. This security technique allows restriction on an individual level and enables controlling what a user can view and access while working with Power BI reports, datasets, dashboards, and others.
Did you know that the dynamic RLS enables you to exclude a particular data value in some scenarios and then include the same in other scenarios as per your needs?
RLS is activated by following the steps stated below:
Tracking tenant activity – It is critical to have all-around visibility on the actions and on the components accessed by a Power BI access control user to fulfill the requirement to adhere to regulatory compliance and manage records. This process of tracking is enabled by Power BI features termed as the Power BI activity log and the unified Office 365 audit log. Both of these Power BI logs maintain a complete record of the tenant activity data that can be viewed to gain complete visibility on the tenant’s activity with data. Since the lifecycle of data in the audit logs is not more than 90 days, it is advised that clients create a report from the audit logs and store it via Azure Blob Storage.
Importing data – Post a data import in Power BI Desktop. The Power BI tool uses the current user’s authentication credentials from the desktop or uses credentials that are identified as part of configuring scheduled refresh from the Power BI service to establish a connection with the data source. Restraint and utmost care are advised while publishing and distributing such reports. Clients should set row-level security as part of the datasets. Users should not be able to view or access anything beyond the shared data.
Exporting data – Authors can classify reports and use Microsoft Information Protection sensitivity labels to distinguish reports based on their sensitivity. If the sensitivity labeling is done with protection settings, the Power BI tool will apply these settings. Export data from Power BI to PowerPoint, Excel, PowerPoint, and PDF file formats. The data files with activated protection settings can be opened only by authorized users. IT administrators can use the Microsoft Cloud App Security feature to track user activity and access data files. They can perform risk analysis in real-time and establish label-specific controls.
Data Sources –DirectQuery is an ideal option to set any level of security to data as it queries all the underlying data sources. Power BI does not use different credentials between importing and exporting of data to connect to the underlying data source after a DirectQuery report is published to the Power BI service. Therefore, it is essential to configure all the credentials of the users immediately following the publishing of a DirectQuery report. The credentials, once provided, can be used by any user who wants to open the report, much like importing data. Any user accessing the report will get to see the same data unless row-level security is implemented on a report or a part of it. Sharing of the report demands the same amount of attention if there are security rules defining the underlying data source. It is to be noted that DirectQuery will be of no benefit in terms of the security of the data source until the Power BI tool allows the identity of the report consumer to cross through to the underlying data source.
Sample customer profiles from a specific nation can be used to demonstrate the working of the said security mechanism. Most reports display comprehensive data about all customers. Assume the intrinsic level of detail of the data in the report is for management eyes only. The accessibility factor to relevant stakeholders is an essential point of security wherein the full range of information might not be meant for guardians. Statistics related to finite activity spaces could be useful for guardians. Protecting critical information from prying eyes is extremely important.
To ensure the pertinent limit of data display for users responsible for specific regions, the roles need to be configured for access of individual data sets through Power BI. Not every row will be displayed, and the said filters will restrict the data after authentication for the particular role only. Rules can be drafted for multiple objects at the same point in time to limit access to critical data by category attributes through tables and even hide information.
Assign diverse expressions to filter tables for specific roles that include the guardian to be able to view reports for a specific province. To assign users to common groups, you can publish the given set to the Power BI workspace by enabling the relevant row management security section. Test the correct security operation by logging in to the selected role. The reports will be available for display without the need to change rights for the same account. Test settings locally before deployment through the Power BI.
Users assigned to row-level security roles cannot manage the configuration or edit content in the workspace, and restrictions of selected data sets will be changed too.
It is extremely critical to keep business data confidential and particularly with a view to the rising instances of high-level data breaches. For Power BI security, users can take advantage of the multiple security options such as the dynamic row-level security. This security detail can help users to secure a whole data file and also the choice to obfuscate a part of the file. The roles assigned to users can be fine-tuned at a granular level to control the access and activity of team members on the information. It should be noted that to enable this security structure, it is essential to properly activate all the features in the desktop as well as the cloud-based components of the Power BI tool.
Flatworld EDGE is a frontrunner in the IT solutions arena and has extensive expertise in software testing services, providing infrastructure management solutions, business intelligence solutions, and designing custom software. We leverage data analytics capabilities in our solutions to bring transformational business changes for our clients. Our Power BI solutions have aided our clients in bringing efficiency and acceleration in their day-to-day operations.