Securing datasets in Power BI Service

Deploying and Maintaining Assets in Power BI

Kevin Feasel

CTO, Faregame Inc

Dataset permissions

Read

  • Allow users to access reports which read data from the dataset
  • Does NOT allow users to find content which uses a dataset
  • Does NOT support external API queries

Build

  • Allow users to build new content from a dataset
  • Allow users to find content which uses a dataset
  • Allow users to query using external APIs

Reshare

  • Allow users to share dataset contents with other users
  • Can grant Read, Reshare, or Build permissions to other users

Write

  • Allow users to view and modify dataset metadata
Deploying and Maintaining Assets in Power BI

Datasets and workspace roles

Admin Member Contributor Viewer
Read Yes Yes Yes Yes
Build Yes Yes Yes No
Write Yes Yes Yes No
Reshare Yes Yes No No
Deploying and Maintaining Assets in Power BI

Ways to obtain dataset permissions

  • Directly grant dataset permissions to a user or group

Adding dataset permissions for a user or group.

Deploying and Maintaining Assets in Power BI

Ways to obtain dataset permissions

  • Directly grant dataset permissions to a user or group
  • Grant permissions to an app and let the user get the app

Granting access to an app gives users the rights of that app.

Deploying and Maintaining Assets in Power BI

Ways to obtain dataset permissions

  • Directly grant dataset permissions to a user or group
  • Grant permissions to an app and let the user get the app
  • Share a link to a report

Grant rights to a user by sharing a link.

Deploying and Maintaining Assets in Power BI

Row-level security (RLS)

  • Restrict data access for given users
  • Create filters to show or hide specific rows based on the current user's access rights
  • Filters defined for roles
  • Use Power BI Desktop to define roles
  • Use Power BI Service to assign users and groups to roles

Power BI Desktop allows us to define roles in row-level security and Power BI Service lets us assign users and groups to roles.

Deploying and Maintaining Assets in Power BI

Row-level security limitations

  • Performance will be slower due to additional processing requirements
  • Users with dataset Write permissions will see all data--in practice, row-level security is limited to Viewers
Deploying and Maintaining Assets in Power BI

Sensitivity labels

  • Guard sensitive content against unauthorized data access and leakage
  • Sensitivity labels with encryption settings may affect access to content in Power BI Desktop
  • Power BI admins can block export of sensitive data
  • Sensitivity labels may change--people with the ability to set sensitivity labels may change them
  • All changes are tracked in the Power BI audit log

Adding a sensitivity label to a report.

Deploying and Maintaining Assets in Power BI

To set sensitivity labels

  • Sensitivity labels must be set up in the Microsoft 365 Compliance Center
  • Sensitivity labeling must be enabled for the organization
  • Must be logged in
  • Must have Power BI Pro or Premium Per User license
  • Must have edit permissions on the content you wish to label

Setting a sensitivity label in Power BI Desktop.

Deploying and Maintaining Assets in Power BI

Let's practice!

Deploying and Maintaining Assets in Power BI

Preparing Video For Download...