I created a Power Automate flow and needs to embed groups of individuals due to RLS in the "Identities Username" section instead of only one individual identity / username. In RLS settings the individuals are added using a mailgroup.
Do I need to generate an embed token with the individual users?
Try to add mailgroups in the Identities Username section but doesnt work.
Related
After use Custom Authorization in power bi report server in Row level security part cannot assign group of database And also I checked the codes of Authorization.cs, AuthenticationUtilities.cs and AuthenticationExtension.cs classes, I didn't find a method related to Row level security that I can develop.
I was able to develop the security part that checks the permission of each report based on the group and users of my database, but I ran into trouble in the Row level security part and I did not find a method to develop.
there is no way to handle groups in RLS in custom auth.
https://github.com/microsoft/Reporting-Services/issues/188
and
If you're using custom authentication in Power BI Report Server, [USERNAME()] returns the username format you’ve set up for users.
Row-level security (RLS) in Power BI Report Server
So in your model you set up RLS rules based on the username format you passed from your custom auth extension.
I want to give GSAs direct access to modify Google users. I can't find current docs on this so assuming it's not possible right now?
It looks like this is only possible for working with groups:
https://workspaceupdates.googleblog.com/2020/08/new-api-cloud-identity-groups-google.html
I need to give a GSA access to read group membership and also modify user attributes.
Right now I:
create an admin a G Suite user
create a GSA with domain wide auth with these scopes
https://www.googleapis.com/auth/admin.directory.group
https://www.googleapis.com/auth/admin.directory.user
Impersonate the G Suite user with the GSA and modify user attributes like this:
service = create_directory_service("G SUITE USER")
service.users().update(userKey=uKey, body=myAttributes).execute()
Do I still need domain wide delegation to modify user attributes? Or is it supported now as well?
You can follow this guide to create a Service Account, turning on the Admin SDK API (which allows the service account to provision/manage the users), and authorizing it.
The Service Account created can be used then to provision/manage the G-Suite users, here is a guide on how to manage user accounts using the Directory API, which is part of the Admin SDK.
In short, yes it is possible to manage users too, by using Service Accounts, not just groups.
I am new to PowerBI and I have a project where I store my data on MySQL( or I will use MSSQL) server. Each user has a defined ID. Is it possible to create a user login or something like that that would show reports for different users?
Login screen with powerBI shortcode will be on my website and I would like to show powerBi report by logged user. Report screen will be the same every time, but with different numbers for different user.
I am sorry for this question, but I am new to powerBI. Is it even possible to create something like this?
Thanks for any help.
You can take a look at Row-level security.
Row-level security (RLS) allows you to restrict logged in user's access to report's data, i.e. you can show different part of your data based on logged in user.
You can setup RLS in Power BI Desktop. You can create different roles that can be assigned by generating the embed token while embedding.
Refer docs: https://learn.microsoft.com/en-us/power-bi/admin/service-admin-rls
While embedding, generate embed token based on the user who has logged in and assign the roles to it. Refer docs: https://learn.microsoft.com/en-us/power-bi/developer/embedded/embedded-row-level-security
Suppose I have sales and users table. The sales table has userid to link to the users table.
Dynamic RLS filter is configured on the users table's email column:
Email = USERNAME()
There is a role called User and I have added couple of users to it via the power bi service.
Hence whenever a user logs in he can see his own sales data.
However, when a user is a member of the User group but there is no record for that user in the Users table, then when he logs in there will be no filter applied because that email doesn't exist in the users table. Thus the user can see everyones data?
What is the workaround for this?
For those people not in a mapping table for RLS, they will not see any data.
You can test this in Power BI Desktop
For example in my mapping table of users, which link to customer, then to the data, I have two users:
And each user can see the the following customers
So if I view as the role as 'some.one#domain.com' I'll see only the data mapped to that user.
However if I set it as 'some.three#domain.com', you don't see anything.
In the Service you have to added the users to roles as set up in the dataset security setting, if your not in the role in the service, you get a security warning:
If you are in the role, but are not in your mapping table, it will return no data, like it would in Power BI Desktop.
Please note: for RLS to work, the users must be in the 'Viewer' role at the workspace level. If they are Admin, Member or Contributor, they will be able to see all the data.
I use google compute engine in an organisation of ~100 people. How do I make sure that all the accounts I add to a compute engine project have two factor auth enabled?
I searched google documentation for (enforce|ensure|mandatory) two factor (gcloud|gce|google cloud) but didn't find anything that answered my question.
This question is only partially answered. It is possible with Gsuite. It remains unknown if this can be done without Gsuite.
There is a new service called Cloud Identity.
Cloud Identity provides free, managed Google Accounts to users who don’t need G Suite Services, such as Gmail or Drive.
Relevant for you:
Directory and account security:
Create and manage users.
Create and manage groups.
Manage account security by setting up basic 2SV or enhanced 2SV using security keys.
etc...
Follow the instructions here to make 2-Step Verification mandatory in G Suite:
If you will require 2-Step Verification of all users in the domain
or within an existing organizational unit (OU), you may skip this
step. If you need to have a different 2-Step Verification setting
for a select group of users within an organization, create an
admin-managed group containing all such users. See Use exception
groups for detailed instructions on creating custom groups.
On the dashboard, click Reports, then select Security. Confirm that
all users to be forced into 2-Step Verification are already enrolled
in it, indicated by "Enrolled" in the 2-Step Verification Enrollment
column.
On the dashboard, click Security > Basic settings > Enforce 2-Step
Verification on users.
Select the organization where you wish to make 2-Step Verification
mandatory. Then select Turn on enforcement. 2-Step Verification will
become mandatory within 24 to 48 hours after turning on enforcement.
To have a suborganization inherit the 2-Step Verification setting
from its parent organization, click the Use inherited button that
appears near the right margin when you hover over the Authentication
pane.
If you would like to exempt a group of users, select the group name
(created in step 1) on the right-hand side keeping the organization
selected on the left-hand side of the page and select Turn off
enforcement. This will apply 2-Step Verification to all users in the
selected organization except the users in the exception group.
Save your changes.
All users of the selected organization are now required to enter a secondary code from their mobile device.
Reference: https://support.google.com/a/answer/2548882?hl=en