Get startedGet started for free

Securing datasets in Power BI Service

1. Securing datasets in Power BI Service

Power BI has several tools to secure datasets. In this video, we will look at three such tools.

2. Dataset permissions

The first tool is dataset permissions. There are four permissions in total you can grant. The Read permission allows a user to view data from a dataset in the context of a Power BI report. Importantly, Read does not allow querying of the dataset through an external API or finding additional content which uses a given dataset. To gain those permissions, a user needs Build access. Additionally, a user may also build new content off of an existing dataset. Reshare allows users to share dataset contents with other users. This allows a user to grant some combination of Read, Reshare, and Build to other users. Finally, the Write permission allows users to view and modify metadata for a dataset, including things like featuring Q&A questions, adding descriptions to datasets, and replacing dataset contents.

3. Datasets and workspace roles

Each workspace role automatically adds certain dataset permissions. For example, any workspace role will grant Read permissions on a dataset in the workspace. Admins, members and contributors will get Build access to datasets. They also get write access to datasets in the workspace. By default, only admins and members get reshare access, as this permission relates to giving other users permissions.

4. Ways to obtain dataset permissions

In addition to workspace role assignments, there are three ways to obtain permissions on a dataset. The first way is directly to grant dataset permissions to a user or group.

5. Ways to obtain dataset permissions

We may also grant permissions to an app. Users with an app implicitly gain the app's permissions. In other words, an app might have Read access to a dataset. A user with that app will therefore have Read access to the dataset through the app.

6. Ways to obtain dataset permissions

The third method to grant permissions is to share a link to a report. When sharing the report, we can configure what dataset rights people will have.

7. Row-level security (RLS)

The second tool, row-level security, allows us to restrict data access for given users. Specifically, we can show or hide specific rows based on filters we create. We can create row-level security roles which contain these filters. We create these roles in Power BI Desktop and then use the Power BI Service to assign users and groups to our newly-created roles.

8. Row-level security limitations

Row-level security does come with a performance cost, as it needs to compare each row individually to see if the current user should be able to see it. Further, users with Write permissions on the dataset will see all rows, regardless of row-level security settings. In practice, row-level security is a restriction you place on workspace Viewers, not Admins, Members, or Contributors.

9. Sensitivity labels

The third tool, sensitivity labels, guard sensitive content against unauthorized data access and leakage. These allow us to prevent access to certain datasets in Power BI Desktop, such as encrypted datasets containing sensitive customer information. Power BI administrators are able to block users from exporting highly sensitive data. Importantly, any user who can set a sensitivity label may also change the sensitivity label. That said, all changes are tracked in the Power BI audit log, so even though a person can change the sensitivity label, you have a record of that change.

10. To set sensitivity labels

Setting sensitivity labels starts in the Microsoft 365 Compliance Center, where you can define custom labels. Microsoft does not provide you a default set of labels; instead, you create your own. After creating these labels, there is a Power BI tenant setting to enable sensitivity labeling for the entire organization. After that, you must be logged into Power BI Desktop or Power BI Service. You must have a Pro or Premium Per User license to set sensitivity labels. Finally, you must have edit permissions on the content you wish to label. We can label individual data sources as well as the Power BI report as a whole.

11. Let's practice!

Now that we have learned about three techniques for securing datasets in Power BI, let's apply that knowledge to some exercises.

Create Your Free Account

or

By continuing, you accept our Terms of Use, our Privacy Policy and that your data is stored in the USA.