Power BI Online | Overview of Security Implementation

Power BI is a viable solution to implement an enterprise security implementation. This is possible in two ways. Each way can handle different types of scenario, from the most simple to the most complex ones. (Article coming soon on this topic)


The two security Level within Power BI:


1 • Access Security

2 • Row Level Security


Examples:


1 • Access Security - Security by business entities (Security by reports)

  • HR team can access HR Report

  • Finance team can access Controlling Reports

  • Sales team can access Sales Reports

  • Top Management Team can access every report

2 • Row Level Security - Security based on referential data (Security by row)


By country, by product, by Customer, by collaborator, etc….


1 • Access Security


Must be defined in Power BI Workspace

IT - Champion User

Can administrate the group and manage reports

IT Team - Power User

Can visualize and/or create reports

Report consumers (maybe all the company & External Users) Can visualize only some non sensitive reports


Can view


Can edit



2 • Row Level Security


Must be defined in Power BI Desktop and Power BI Online


• Step 1: Filter data in Power BI Desktop

• Step 2: Assigned users role in Power BI Online



3 • Manage security/groups in the Office 365 Admin Center


An Office 365 Security Group is a way to give a group of users a security access

It is stored in Azure Active Directory (AAD)

One Security Group can contain N security group (Hierarchy of security group)


Versus


An Office 365 Group is a way to centralize members for multiple Microsoft products in one place.

It is stored in Azure Active Directory (AAD)

It is just like a Security Groups, but with a provisioning robot that centralize Office 365 product activities

When a Group is created in the AAD, it comes with an email address for the Group as well as a calendar (Exchange), with a site collection in Sharepoint for that group, with a team in Microsoft Teams, a Power BI Workspace, and so on


Good to know:


You can add 1 AAD Internal Account = 1 email address

You can add an external user from an other AAD Tenant or from a personal e-mail address (ex : gmail, yahoo, etc…)

Role-based access control is accessible from Identity Access Management for each Azure resource