The problem with Power BI's row-level security is the need for clear text user email addresses. Is there some way in Power BI to e.g. hash the email address (that can be fetched with USERNAME() ) and just compare it to precalculated hash?
If the database that Power BI is accessing is breached then it wouldn't be good to have clear text email addresses in there.
Related
Power BI noob here, still thinking like a SQL coder, so please be patient.
How can I use the user name of the person running the report to filter the report?
As a convenience for my users, I want to provide a way for them to automatically filter to only see data related to their office or region. I have a Person table that includes details like their office location. If I can filter that based on the user name of the person running the report, and join it to the rest of the data, that would work.
Unfortunately, I don't see a way to get the user name in M.
Using the USERNAME() function in DAX, I don't see a way to compare this with individual values in a column. I get an error about being unable to compare a measure to multiple values.
It seems this would be a common request, so I'm sure somebody has solved this problem. But I haven't yet found the solution.
Use a RLS in your model. You can use function USERNAME(),USEROBJECTID (), USERPRINCIPALNAME (); The last one is useful if you have table with users and their email.
https://learn.microsoft.com/en-us/power-bi/admin/service-admin-rls
check also this GuyInCube video:
https://www.youtube.com/watch?v=MxU_FYSSnYU
First, be aware of the differences between USERNAME() and USERPRINCIPALNAME(). Most likely you will want to use the later one.
You can't use neither of these in M. Imagine your model is importing the data. The M code is executed once in the context of one user, then each other user accessing the published report will reuse the already loaded and calculated model. And of course, these are DAX functions, not M.
So in DAX you can use these to compare their values to columns from your model. You didn't gave any information about your model, but lets say there is a table Sales with columns Customer and Amount:
Customer
Amount
Bill Gates#Microsoft.local
100
Steve Ballmer#Microsoft.local
110
In this case, you can write a measure like this:
My Sales = CALCULATE(SUM('Sales'[Amount]), 'Sales'[Client] = USERPRINCIPALNAME())
When Bill Gates opens the report, he will see sales amount of 100, while if Steve Ballmer opens it he will see 110.
For diagnostic purpose, you can make a measure like this and show it somewhere in your report:
Who am I = USERPRINCIPALNAME()
If your goal is to build dynamic Row-Level Security within Power BI, it has some functionality which might help you, so take a look at these articles:
Row-level security (RLS) with Power BI
Restrict data access with row-level security (RLS) for Power BI Desktop
Row-level security (RLS) guidance in Power BI Desktop
Dynamic Row Level Security with Profiles and Users in Power BI : Many-to-Many Relationship
I am wanting to know how secure Row-Level Security is.
We are currently working on creating a dashboard that would be shared with 500 users within our organisation. All of these users are managers and we would be using dynamic row-level security so that each user would only be able to view information in the dashboard related to their own team.
I have tested RLS and it worked fine, but I have had another Power Bi user tell me that RLS is not completely secure as my base data is coming from excel. My base data is in excel, but I convert it into a pbix file in Power Bi desktop before creating the role, then publishing to power bi service, where I assign users to the role and give read only access.
I am wondering once I have shared the dashboard with these users is there any way for them to get around the RLS and access the base data?
Thanks in advance,
Amy
There are a number of factors to consider for imported data.
If the user can download the report, they could remove the role and access all the data. I would recommend turning this off in the Power BI Admin protal for selected users, or an AD group.
They could connect to the dataset via Excel or another report and get the data that way without the role level filter being used. Having them as read only is one way of stopping them altering the report. I would suggest deploying the report as an app, then they can only access the surfaced report not the underlying dataset.
I have one Power BI file that needs to be embedded in the Power App Portal using Power BI embedded code (iFrame code). I am filtering the iFrame code by applying query parameter filter in the Embedded URL.
The issue is that the value of query parameter can be changed by any end-user who is aware of the value.
For example, if we are passing user id in query string, another user id who knows the values can also change the user id in the same query string.
My question is how to securly pass the parameter in the P-BI embedded? Is there any special encryption method so that the parameter value is encrypted at end user to avoid changing the user ID
You need to implement RLS (Row Level Security). That way, users logging in to view the iFrame will see only data he is supposed to view. You will have to configure roles in power bi-level to determine how data access is determined for each user.
Read This to find out more about RLS.
I'm using the power bi embedded Row Level Security. According to the documentation given here we need to add a role in the power bi desktop and use a DAX expression like [ColumnName] = USERNAME(). So that this filter will work when the user has that particular role.
My question is is there any chance to use the DAX expression anywhere to filter data using the Username directly?
Thanks in advance
Accessing usernames
If User owns data is used for embedding, then while authenticating, the username is accessible in the code.
Or, even if using App owns data, if you authenticate your users while accessing your portal, then you can get the username while authentication.
Below is an example on JS
oCommon.authContext.getCachedUser();
Below is an example in C#
HttpContext.Current.User.Identity.Name;
Filtering in the embedded report
Further, by using filtering capabilities of Power BI embedding, the report can be filtered on the username value fetched during authentication.
Avoid flickering
You will be able to apply the filter after the report embeds, if you use powerbi.embed().
Instead use the concept of phased embedding, where before the report even renders, you can apply the filter. So apply the filters after load() and before render(). This will avoid the flicker that you may have with filtering after powerbi.embed().
We currently host data for multiple users in our database. I'd like to implement embedded power BI into our web app. When the user logs into our system, I'd like the data source to be filtered according to the user that is logged in, so e.g. SELECT * FROM Table1 WHERE ItemID in (ItemID1, ItemID2) etc..., we aren't going to know what ItemID1, ItemID2 etc... are until after the user has logged on.
Is this possible with PowerBI embedded?
To filter data for Power BI users based on which user is logging in to the embedded web app, complete the following:
Sample:
Create a table to store the usernames for each filter "group."
You will use DAX to create a measure to identify the users from your table, and assign them to a specific user role group. Below is the DAX to use:
[USERNAME] = [Current User]
Create the measure described in point #2 in the Row-Level security settings. By creating different "groups" for the users, you are essentially dynamically-building a "filter," where you only show the users what they should be seeing--thus resulting in pseudo-filtering. For more information see the following:
https://learn.microsoft.com/en-us/power-bi/desktop-tutorial-row-level-security-onprem-ssas-tabular
http://community.powerbi.com/t5/Service/Restricting-filters-to-specific-users-in-Power-BI-report/td-p/109111
Hope this helps!