What is Security in Power BI?
Security in Power BI refers to implementing measures to ensure only authorized users can access, view, and manipulate data within a Power BI solution. It involves defining roles and permissions for users, data sources, and content, and enforcing them through authentication and authorization mechanisms.
The Power BI security Dashboard can be a great idea to better to understand the security status of the Power BI environment and implement preventive measures for data protection. In addition, it can significantly help organizations in the following ways:
- Overview of Power BI security measures such as role-based security, row-level security, and access controls
- Monitoring of user activities, data queries, and login attempts and Identification of potential security breaches.
- Manage secured data connections and protection of sensitive data.
- Organization’s compliance with regulations such as SOX, GDPR, etc.
Table of contents
- Security is critical to any Power BI solution and should be implemented at every level. Row Level Security is a powerful feature that allows you to restrict data access based on the user’s identity or role.
- Configuring Power BI Services involves setting various security, privacy, and data access options.
- Security measures should be regularly reviewed and updated to ensure compliance with regulatory requirements and changing business needs.
What Is Row-level Security?
Row-level Security (RLS) is a Power BI feature that allows you to restrict data access at the row level based on the user’s identity or role. It implies that users with appropriate roles can only see the relevant data in Power BI reports or dashboards while the rest is hidden. RLS is one of the Power BI best practices organizations must follow to secure their data, especially when working with sensitive data in Power BI tools.
You can configure RLS for the following:
- Data models imported to Power BI with Power BI Desktop
- On datasets using Direct Query connection such as SQL server
- In the model for Analysis services or Azure Analysis services live connection
Some of the key advantages and disadvantages associated with RLS are highlighted below
- RLS can help you prevent unauthorized access to sensitive data and define controls for secure data access.
- Using RLS and Power BI security best practices, you can create multiple roles with different permissions levels for a single report resulting in a simplified design for reports.
- RLS supports dynamic filters that restrict users to access only relevant data as per their assigned permissions, leading to an enhanced user experience.
- RLS in Power BI security can significantly impact the queries’ performance due to a high number of role or permission filters.
- Some of the key features of Power BI security, such as publishing to the web, are not supported with RLS.
Note: RLS only restricts data access for users with Viewer permissions and does not apply to Admins, Members, or Contributors permissions
In subsequent sections, we will see how to create RLS in Power BI.
How To Create Row-Level Security in Power BI?
There are various ways you can create Row-Level Security (RLS) in Power BI security.
- Define roles and permissions in Power BI Desktop
- Define roles using enhanced row-level security editor in Power BI Desktop
Once the security roles are defined, a Power BI Security Filter can be created to apply to your reports and Dashboards to restrict the sensitive data to only authorized users as per their assigned roles.
Option – 1: Define roles and permissions in Power BI Desktop
Besides roles, you can define permissions in Power BI security for users or groups in Power BI Desktop. To define roles and permissions, follow the steps mentioned below.
Step 1: Import the dataset into the Power BI report.
Step 2: Navigate to the Modeling tab, and select the Manager roles option.
Step 3: Click on the New button under the Roles section in the Manage security roles window to create a new security role.
Provide a name for the newly created role.
Step 4: Under the Select Tables section, select the table you want to filter the data. Then, apply the filter condition for the created role by clicking on Add option and clicking on Save.
You can also apply the filter conditions using the Switch to DAX editor. Then, you can provide the DAX rule.
Step 5: Publish the changes in Power BI Desktop by providing the destination. It will publish the report to the Power BI service.
Navigate to the Power BI service and select the Manage Roles screen. All the created roles will be visible.
Navigate to the Assign tab to add people or groups to roles in managing access to data by entering their email addresses.
Option – 2: Use an enhanced row-level security editor for defining roles and rules in Power BI
Enhanced row-level security editor can help you to specify the row-level security roles and filters in Power BI Desktop quickly and with minimal effort. This editor can enable users to toggle between using the default drop-down interface and a Power BI DAX editor. When you publish to Power BI, the role definitions are also published to Power BI automatically.
Follow the steps below to specify security roles using the enhanced row-level security editor:
Step 1: Navigate to Files > Options and Settings > Options > Preview features.
Turn on the “Enhanced row-level security editor” option under the Preview features tab.
Step 2: Import the dataset to the Power BI Desktop report
Step 3: Click on Model View under the Home tab
Step 4: From the ribbon, select Manage roles.
Step 5: Once the manage roles window opens, follow the processes as highlighted in Option – 1
Once the roles have been created, they must be validated within the Power BI Desktop. Then, you can validate the results as per the steps mentioned below:
Step 1: Navigate to the Modeling tab and select View as in the Security ribbon.
The View as roles window pops up, showing all the created roles.
Step 2: Select the role you created and click OK. It will apply that role to the reports in Power BI.
You can also select “Other user”; however, you must provide the user’s details in that case.
As a best practice, you can choose to provide User Principal Name (UPN) which is essentially a username and domain name like an email address format (For example, email@example.com). This is primarily used in the Power BI service and Power BI Report server. The results for Other user may differ when dynamic security is used in Power BI Desktop as this is dependent on the DAX expressions used in the filter.
Step 3: Once the desired role is selected, you get reports based on the RLS filters that allow the user to see.
To view the dataset, navigate to the data view. You’ll see the dataset per the filter condition for the selected role.
How To Configure Power BI Services?
Step 1: To configure Power BI Services, you must log in to the Power BI service. Then, navigate to the Settings menu and click on Settings.
Step 2: Navigate to the Datasets tab. Here, you can configure various settings related to the dataset.
Some of the key settings you may configure include:
- Gateway Connection
- Scheduled refresh
- Request Access
- External Sharing
Important Things to Note
Some important things to note when working with Security in Power BI include:
- RLS filters table rows and cannot be configured to restrict access to model objects such as tables, columns, or measures.
- If a user has access to a particular row of a dataset, then RLS can’t limit the columns or measures, i.e., they can see all the columns of the data.
- There are a few scenarios where RLS in Power BI security vulnerabilities can produce unexpected results:
- Tables with no data or incorrect values
- Relationship across model tables is incorrectly defined, such as incorrect column mappings.
- When the Apply security filter in bi-directional relationship property is set incorrectly.
- The user is assigned multiple roles using RLS in Power BI security.
- The model has multiple aggregation tables, and the RLS rules are inconsistent across the aggregated tables.
Frequently Asked Questions (FAQs)
To remove row-level security in Power BI:
• Navigate to the Modeling tab in the Power BI Desktop and select Manage roles under the Security ribbon.
• Select the role and table on which row-level security is defined in Power BI security.
• Remove the filter by selecting the filter conditions or removing the DAX expression using the DAX editor.
• Save the changes and publish the Power BI Desktop report to Power BI Service to reflect the changes.
• Object-level security (OLS) in Power BI refers to controlling access to specific objects within a Power BI solution, such as tables, columns, reports, dashboards, or datasets.
• OLS can restrict unauthorized users from accessing the business critical or any sensitive information by concealing the objects. However, this creates a misconception that the columns or tables don’t exist for those viewers who don’t have the required permission to access these objects.
• OLS is achieved by defining roles and permissions for each object and enforcing them through authentication and authorization mechanisms.
• OLS can be used with row-level security and other security features to ensure that users only have access to the objects they are authorized to view or modify.
Currently, Power BI security does not natively support page-level security. However, there are different workarounds available to create customized navigation for different pages for different roles. To implement this option, you can make use of conditional navigation and row-level security features in Power BI.
The current version of Power BI Desktop does not natively support column-level security in Power BI security. However, you still can implement column-level security with a well-designed data model along with the row-level security feature using external tools such as Tabular Editor, Visual Studio, etc.
Some of the key steps required are:
• Define the roles in the model view.
• Setting the permissions for the columns to either None (enforcing the object-level security and hiding the column from the role) or Read (enabling the column visible for the role).
• Publishing the dataset to Power BI Service.
• Assigning the members or groups to the appropriate roles in the Power BI Service configuration.
Guide to Power BI Security. Here we learn how to configure power BI services and create row-level security with step by step guide. You can learn more from the following articles –