How to implement security in Power BI embedded code? - powerbi

I have one Power BI file that needs to be embedded in the Power App Portal using Power BI embedded code (iFrame code). I am filtering the iFrame code by applying query parameter filter in the Embedded URL.
The issue is that the value of query parameter can be changed by any end-user who is aware of the value.
For example, if we are passing user id in query string, another user id who knows the values can also change the user id in the same query string.
My question is how to securly pass the parameter in the P-BI embedded? Is there any special encryption method so that the parameter value is encrypted at end user to avoid changing the user ID

You need to implement RLS (Row Level Security). That way, users logging in to view the iFrame will see only data he is supposed to view. You will have to configure roles in power bi-level to determine how data access is determined for each user.
Read This to find out more about RLS.

Related

How to create a filter in powerbi that will dynamically query the db using a SP with a parameter

I am trying to run a direct query on my DB and apply a filter input by the user. The user input would be used as a parameter for my Stored Procedure that retrieves the data I want to display to the user. The reason for running a direct query and not just refreshing the data and then the user filtering from all of that data, is that the database is really large and it would make the report file approx. 650mb in size. My idea is that with a direct query, I can pull only the data required through an indexed column that the Stored Procedure uses to filter.
Currently I was able to create a parameter in the Query editor and use it in a query function but this creates an "Invoked Function" table. If I use these results in my report essentially the user can only filter through the result I filtered in my query editor. I want the user to be the one to input that value and the report to dynamically load it.
As far as the filter field, I am using a slicer and added the search capability to it so they can type out the search value and select the result in the list. Ideally I would like a textbox that they can type the value they want and search for it.
Is this possible in PowerBI? and if so how could I accomplish this?
You have to download a separate application called Power BI Report Builder to accomplish this and create a paginated report. See Url below:
Paginated Reports

Using RLS with Analysis Service Live Connection in a PBIE "App Owns Data" scenario

I'm kind of new to PBI and I'm looking if it's the right tool for my case.
I would like to use Power BI Embedded in a web application for our customer (where they're logged in) which do not have any Power BI account/licence.
The database on which the reports are based are on-premise so we're would use Analysis Service Live Connection to access them.
Each customer should have his own report.
Is it possible to use RLS in that case?
Does that mean we've to create a role for each of them?
What username should be given in the EffectiveIdentity? Is it 'free text' that is used by PBI to get the username in the DAX?
If each customer will have his own report, then why do you need RLS at all? Just make the report to show what the user is supposed to see. Or you want to have a single report (or set of reports), which is shared between the users and they should see only their data? I will assume it is the later one.
I will start with the last question - the effective identity is not a "free text". It must be a valid user name, having rights to access the data, as specified in the documentation:
The effective identity that is provided for the username property must be a Windows user with permissions on the Analysis Services server.
The you can define RLS in your Analysis Service model, by adding a "users security" table, where you specify which rows should be visible to each user. Define relationships between this users security table and other tables in the model, and then let RLS to filter the data in the security table. The relationships with the rest of the model will apply cascade filtering on the data, so only relevant rows will be visible to the user. See Implement row-level security in an Analysis Services tabular model for example.
So the answer of your second question is no, you don't need a separate role for each user, because the filtering is based on the username and for every user it filters the same thing the same way.

How to match a e-mail from a table with dax function USERPRINCIPALNAME and let the user visualize the report in PowerBI?

I need to hide a page from a group of users, but I've read that there is no RLS-like service to do that. I found a "tip" to use a card and paint it white or transparent to hide the page contents. It would work fine for me, but here is my problem:
I have a table with page name and the e-mail of the users allowed to access its contents. I need to query that table, returning the page name when the e-mail equals to USERPRINCIPALNAME (DAX function), but I haven't found how to link these information.
I tried to create a column named "allowed", comparing the e-mail value with this DAX function, but PowerBI does not allow its use (it can only be used with Measures). Then, I tried to create a measure comparing both values, but I cannot access the table value (it's not displayed in the list of available options).
What can I do? Any clues?
Regards
There is in fact RLS feature with Power BI that can be used to restrict data access for given users.
Refer: https://learn.microsoft.com/en-us/power-bi/service-admin-rls

Power BI Embedded Row Level Security

I'm using the power bi embedded Row Level Security. According to the documentation given here we need to add a role in the power bi desktop and use a DAX expression like [ColumnName] = USERNAME(). So that this filter will work when the user has that particular role.
My question is is there any chance to use the DAX expression anywhere to filter data using the Username directly?
Thanks in advance
Accessing usernames
If User owns data is used for embedding, then while authenticating, the username is accessible in the code.
Or, even if using App owns data, if you authenticate your users while accessing your portal, then you can get the username while authentication.
Below is an example on JS
oCommon.authContext.getCachedUser();
Below is an example in C#
HttpContext.Current.User.Identity.Name;
Filtering in the embedded report
Further, by using filtering capabilities of Power BI embedding, the report can be filtered on the username value fetched during authentication.
Avoid flickering
You will be able to apply the filter after the report embeds, if you use powerbi.embed().
Instead use the concept of phased embedding, where before the report even renders, you can apply the filter. So apply the filters after load() and before render(). This will avoid the flicker that you may have with filtering after powerbi.embed().

Connecting Reports to Web APIs with Parameters

I have a client that has a large number of customers, and I have reports that can accept parameters and pass to a REST-based Web API to pull, for example, customer-specific records. This, of course, is easy using Power BI.
The challenge is, there could literally be 500,000 records out there, so filters and passing filters is not really an option. What I need to do is pass a value via Power BI Embedded to the report that will update the parameter of the Web API dynamically.
Such as https://services.server.com/api/customers/{customerId}
.
I have read and experimented with about every technique possible, and yet I still can't seem to pull this simple (and common) scenario off. To confirm, this is would work fine if I allowed a user to filter these values manually, but the goal is to have the Web.Content value be dynamic (like via a parameter) and then the parameter (like CustomerId) get fed to the report externally, like in a Power BI embedded parameter to the report.
Again, this can't be a filter, I just want to do what you used to be able to do with SSRS or Crystal Reports and send something like {parameter} = (or eq) '{some value}' and have the report use that as the datasource JSON feed.
Any thoughts on this frustrating situation?
You can do this with RLS:
https://learn.microsoft.com/en-us/power-bi/developer/embedded-row-level-security
Bring all the 500,000 records to your pbix.
Define a role which will filter based on an username.
When embedding, pass the role and the desired username to the embed token.