I have created a native app and set the permissions in Azure Active Directory to view only, and I use that to expose a report with Power BI Embedded (using the C# SDK). However, it's relatively simple to edit the JavaScript to put the report in edit mode, thereby exposing the underlying data. Is there any way to prevent the report from being edited when using Power BI Embedded, or alternatively, to ensure that only allowed data is shared?
While the editing of the report can be overridden if modifying the JS code, that user won't be able to save or modify the report itself since the EmbedToken granted should be without a Write permission.
When creating the EmbedToken you, as the report owner, declare what abilities you grant the user on that specific report. If you didn't give the users Write access, all they can do is purely local by modifying JS.
This is defined as the accessLevel in: https://learn.microsoft.com/en-us/rest/api/power-bi/embedtoken/reports_generatetoken
If the issue is the data access, you can achieve this by using Embedded Row-Level-Security (RLS). The steps are given in: https://learn.microsoft.com/en-gb/power-bi/developer/embedded-row-level-security
Under Modeling (in Power BI Desktop), select Manage Roles
Select the table you want to filter on, and type the DAX expression to filter on, e.g. [City State] = "Sparta".
Give the role a name, say Spartan, and add any other filters you need. Click Save. You can select View as Roles to ensure that the data is appropriately filtered.
In your code, modify your token request to include a username, role and dataset. You might change it from something like var generateTokenRequestParameters = new GenerateTokenRequest(accessLevel: "view"); to something like var generateTokenRequestParameters = new GenerateTokenRequest("view", null, identities: new List<EffectiveIdentity> { new EffectiveIdentity(username: "Spartacus", roles: new List<string> { "Spartan" }, datasets: new List<string> { "datasetId" }) });.
Note that username, roles and dataset are all required.
Using this approach, even if the user does manipulate the JavaScript to get the report in edit mode, they will not be able to access data filtered out by your DAX statements.
Related
I'm kind of new to PBI and I'm looking if it's the right tool for my case.
I would like to use Power BI Embedded in a web application for our customer (where they're logged in) which do not have any Power BI account/licence.
The database on which the reports are based are on-premise so we're would use Analysis Service Live Connection to access them.
Each customer should have his own report.
Is it possible to use RLS in that case?
Does that mean we've to create a role for each of them?
What username should be given in the EffectiveIdentity? Is it 'free text' that is used by PBI to get the username in the DAX?
If each customer will have his own report, then why do you need RLS at all? Just make the report to show what the user is supposed to see. Or you want to have a single report (or set of reports), which is shared between the users and they should see only their data? I will assume it is the later one.
I will start with the last question - the effective identity is not a "free text". It must be a valid user name, having rights to access the data, as specified in the documentation:
The effective identity that is provided for the username property must be a Windows user with permissions on the Analysis Services server.
The you can define RLS in your Analysis Service model, by adding a "users security" table, where you specify which rows should be visible to each user. Define relationships between this users security table and other tables in the model, and then let RLS to filter the data in the security table. The relationships with the rest of the model will apply cascade filtering on the data, so only relevant rows will be visible to the user. See Implement row-level security in an Analysis Services tabular model for example.
So the answer of your second question is no, you don't need a separate role for each user, because the filtering is based on the username and for every user it filters the same thing the same way.
I have one Power BI file that needs to be embedded in the Power App Portal using Power BI embedded code (iFrame code). I am filtering the iFrame code by applying query parameter filter in the Embedded URL.
The issue is that the value of query parameter can be changed by any end-user who is aware of the value.
For example, if we are passing user id in query string, another user id who knows the values can also change the user id in the same query string.
My question is how to securly pass the parameter in the P-BI embedded? Is there any special encryption method so that the parameter value is encrypted at end user to avoid changing the user ID
You need to implement RLS (Row Level Security). That way, users logging in to view the iFrame will see only data he is supposed to view. You will have to configure roles in power bi-level to determine how data access is determined for each user.
Read This to find out more about RLS.
I'm using the power bi embedded Row Level Security. According to the documentation given here we need to add a role in the power bi desktop and use a DAX expression like [ColumnName] = USERNAME(). So that this filter will work when the user has that particular role.
My question is is there any chance to use the DAX expression anywhere to filter data using the Username directly?
Thanks in advance
Accessing usernames
If User owns data is used for embedding, then while authenticating, the username is accessible in the code.
Or, even if using App owns data, if you authenticate your users while accessing your portal, then you can get the username while authentication.
Below is an example on JS
oCommon.authContext.getCachedUser();
Below is an example in C#
HttpContext.Current.User.Identity.Name;
Filtering in the embedded report
Further, by using filtering capabilities of Power BI embedding, the report can be filtered on the username value fetched during authentication.
Avoid flickering
You will be able to apply the filter after the report embeds, if you use powerbi.embed().
Instead use the concept of phased embedding, where before the report even renders, you can apply the filter. So apply the filters after load() and before render(). This will avoid the flicker that you may have with filtering after powerbi.embed().
We currently host data for multiple users in our database. I'd like to implement embedded power BI into our web app. When the user logs into our system, I'd like the data source to be filtered according to the user that is logged in, so e.g. SELECT * FROM Table1 WHERE ItemID in (ItemID1, ItemID2) etc..., we aren't going to know what ItemID1, ItemID2 etc... are until after the user has logged on.
Is this possible with PowerBI embedded?
To filter data for Power BI users based on which user is logging in to the embedded web app, complete the following:
Sample:
Create a table to store the usernames for each filter "group."
You will use DAX to create a measure to identify the users from your table, and assign them to a specific user role group. Below is the DAX to use:
[USERNAME] = [Current User]
Create the measure described in point #2 in the Row-Level security settings. By creating different "groups" for the users, you are essentially dynamically-building a "filter," where you only show the users what they should be seeing--thus resulting in pseudo-filtering. For more information see the following:
https://learn.microsoft.com/en-us/power-bi/desktop-tutorial-row-level-security-onprem-ssas-tabular
http://community.powerbi.com/t5/Service/Restricting-filters-to-specific-users-in-Power-BI-report/td-p/109111
Hope this helps!
I have a URL that returns a json object with everything I need for my power bi embedded report. I get the data for the report by adding a new web data source and pasting the URL in. a few transformations later and tada! sexy report. the report shows lots of charts and graphs etc... however I need to be able to change the datasource URL depending on who is looking at it.
The report shows data for a single organization. You can only look at it if you're in that organization. how can I pass an organizations ID when embedding the report so that the datasource will show different data?
for example if my datasource is defined in the originating pbix as
Json.Document(Web.Contents("http://www.testdata.com/api/json?orgId=1"))
how can I change it to
Json.Document(Web.Contents("http://www.testdata.com/api/json?orgId=2"))
when I'm pull the report to embed on a page?
I know you can filter data but that means I have to make the datasource URL pull ALL the data which would be huge and intensive just to have bi filter out something.
In short, I'm embedding a report on a website and tat report's only way to get data is via a json endpoint. That endpoint requires the org id of the user so how do I pass it to bi which in turn uses it in the data source url?
Your only option for this scenario is to pull all the required data into your dataset. Then you can use either Role Level Security (RLS) or the new JS API to filter the data for each user.
You should probably look at an Azure SQL data source as a more efficient, flexible and scalable back-end for PBI Embedded.