Data Security in Power BI – Users’ Roles and Permissions
In Power BI, we can store data encompassing an entire enterprise. It is possible to establish connections with many data sources with different structures, which, following transformations, can be imported into a uniform warehouse. Data contained in Power BI may have different levels of confidentiality, which is why it is not always advisable to give all platform users full access to the content it contains. Power BI allows you to control access to data displayed on reports according to their purpose by defining the roles of users.
Permissions are defined at three levels:
- Workspace – this is where the entire Power BI dataset and associated reports are stored. Permissions at this level apply to the entirety of content in the space. Users can be assigned various statuses: administrator, member or contributor. There is also a fourth group for people just viewing content, without access to settings.
- Dataset – data access restrictions according to row-level security. There can be many data sets in the workspace with different security definitions for the data contained in each of them. At this level – unlike the workspace – there are no predefined roles. The designer decides about their number and scope, which allows for an individual approach to their creation.
- Report – you can specify who will be able to view a selected report within a given space. Reports alone do not store data. Visualizations are associated with data sets that determine what portion of information can be loaded into them. The user can also receive permission to export the report (this option is currently available in the preview version). This type of report contains visualizations and its own set of data. Files downloaded in this way can be freely extended.
Row-level security – an example of role usage
Sample customer profiles from around the country will be used to demonstrate how security mechanisms work. Currently, the report displays the data of all customers. Let’s assume that this level of detail is reserved for management, who should have access to the full range of information, while for region guardians, statistics related only to their own area of activity may be more useful. We may also want to protect information about customers from other provinces.
To limit the display of data for a user who is responsible only for a selected region, we can configure the roles of the data set using the Power BI Desktop application. This will prevent rows from being displayed that do not meet the condition described in the filter expression for the given role. Rules can be set for several objects at the same time, so you can limit access to data by attributes that are in different tables. You can also hide entire tables.
You can assign different expressions to filter selected tables for each of the roles created. For example, a person who is the guardian of the “south” region will be able to view reports for clients whose data in the columns meet the conditions and come from the provinces (column [province]): Dolnoslaskie, Slaskie or Opolskie.
To assign users to groups, publish the set to the Power BI workspace and go to the row management security section. In this section you can also quickly test the correct operation of security in the selected role. The reports will then be displayed in the version the participant sees, without having to change the rights of their own account. Settings can also be tested locally before deployment to the Power BI service in the Desktop application.
We should keep in mind that users assigned to row-level security roles do not have permission to manage the configuration or edit content within the entire workspace – then the restrictions for the selected data set will be overridden and they will be able to change the security settings themselves, downloading the file in full.
The discussed case presents one of the many methods of implementing the security available in Power BI. Conditions limiting the displayed data can be defined based on static conditions or using a dynamic object – for example, the name of the logged-in user.
Roles and permissions are not only security and control over access to data, but also a way to make work easier. Analyses can automatically present the business context for the person they refer to. Reports configured in this way can be further edited and extended directly in the cloud, or locally using the Power BI Desktop application, without the need to configure the data set for the end-user each time.