Skip to content

Security

Security in the Analysis Models - Power BI architecture is covered in multiple areas, namely:

Azure Data Lake Gen 2

ADLSG2 is the type of storage used for storing parquet files. A storage account per environment (DEV, UAT, PROD) is available. Within a container in the storage account, folders are available per Area, and data sources are available within the Area folder (folder per Parquet Data Source). Data sources can be created in each of the Area folders. There is also a Shared folder which is used for Shared Dim/Fact/Views (i.e. common data sources for multiple models). A Parquet Data Source is mapped to a view or table in Oracle. Each time when the data is loaded, the .parquet file will be overwritten ( Full load overwrites the whole table while Incremental load overwrites the Changed partitions and New partitions are loaded).

To access these ADLS Gen 2 folders and connect to a Parquet Data Source, users with the necessary permission set (given that the BI Infrastructure and environment setup is completed) are required to whitelist their IPs and obtain a Shared Access Signature token (SAS token) . The SAS token allows users the ability to access the Data Lake.

Azure Data Lake Gen 2 Storage Security

In order to control the level of access to the storage account, it is needed to configure the Virtual Networks and Firewall.

Read more about configuring ADLS Firewalls and Virtual networks.

Row Level Security

When a client asks for an embed token the Power BI Embedded service reads the user identity of the Open ID Connect token and includes this in the request to create an embed token. The way an identity needs to be created is dependent on the data source (Power BI Import mode, AAS mode, or SSAS mode all with or without RLS).

The below table shows how an effective identity is created in the Import scenario.

For Power BI Import with RLS (ImportWithRls): - Username - The claim of the open id connect token as configured in the environment variable “usernameClaim” - Dataset of the report - Roles-“EmbedUser” or specific value of Role - customData-NULL

For Power BI Import without RLS (6, ImportNoRls ): Do not pass in an effective identity.

Read more about Row Level Security.

Shared Access Signature Token

During an Analysis Model customization process or when creating a Model, a Shared Access Signature Token (SAS Token) is required to access the Azure Data Lake Gen 2 container to consume the .parquet files as data sources in Power BI Desktop

Read more about SAS Token generation.

Permission Sets

Permission sets are used to grant users access to the relevant pages within IFS Cloud Web. Currently, there are three permissions sets to cover: - A system administrator(AAAS_ADMINISTRATOR), - SAS Token generation(AAAS_DL_USER) to generate SAS Token, and - Upload Model(AAAS_UPLOAD_USER) who can upload models

Read more about Analysis Models - Power BI Permission sets.

For a user to access the reports they do so through a lobby permission set: AAAS_USER