3I. Enforce Power BI model security Flashcards
What is RLS?
Row-level security, which involves defining roles and rules in that filter data model.
What is OLS?
Object-level security (OLS), to restrict access to entire tables or columns.
How does RLS enforce security?
As a data modeler, you set up RLS by creating one or more roles. A role has a unique name in the model, and it usually includes one or more rules. Rules enforce filters on model tables by using Data Analysis Expressions (DAX) filter expressions.
By default, a data model has no roles. A data model without roles means that users (who have permission to query the data model) have access to all model data.
It’s possible to define a role that includes no rules. In this case, the role provides access to all rows of all model tables. This role set up would be suitable for an admin user who is allowed to view all data.
What context applies to rules in RLS?
Rule expressions are evaluated within row context. Row context means the expression is evaluated for each row using the column values of that row. When the expression returns TRUE, the user can “see” the row.
What two types of rules exist?
- Static
- Dynamic
What are static rules?
Static rules use DAX expressions that refer to constants.
Consider the following rule applied to the Region table that restricts data access to Midwest sales:
‘Region’[Region] = “Midwest”
If you wanted to, how would you restrict access to all rows in a table, and when would it be useful?
The simplest static rule that you can create restricts access to all table rows:
FALSE()
It could be useful if you want a role to access part of an aggregated table, but no data from the detail table.
What are some disadvantages of static rules?
- Setting up static rules can involve significant effort to create and set up.
- It would also require you to update and republish the dataset if new rows are added to the dimension you use to filter.
When might it be a good idea to use dynamic rules instead of static rules?
If there are many rules to set up and you anticipate adding new rules in the future, consider creating dynamic rules instead.
What are dynamic rules, and what DAX functions do they use?
Dynamic rules use specific DAX functions that return environmental values (as opposed to constants). Environmental values are returned from three specific DAX functions:
- USERNAME or USERPRINCIPALNAME – Returns the Power BI authenticated user as a text value.
- CUSTOMDATA - Returns the CustomData property passed in the connection string. Non-Power BI reporting tools that connect to the dataset by using a connection string can set this property, like Microsoft Excel.
How do USERNAME and USERPRINCIPALNAME compare?
Be aware that the USERNAME function returns the user in the format of DOMAIN\username when used in Power BI Desktop. However, when used in the Power BI service, it returns the format of the user’s User Principal Name (UPN), like username@adventureworks.com. Alternatively, you can use the USERPRINCIPALNAME function, which always returns the user in the user principal name format.
Give an example of a dynamic rule.
Consider a revised model design that now includes the (hidden) AppUser table. Each row of the AppUser table describes a username and region. A model relationship to the Region table propagates filters from the AppUser table.
The following rule applied to the AppUser table restricts data access to the region(s) of the authenticated user:
‘AppUser’[UserName] = USERPRINCIPALNAME()
How can you validate roles?
When you create roles, it’s important to test them to ensure they apply the correct filters. For data models created in Power BI Desktop, there’s the View as function that allows you to see the report when different roles are enforced, and different username values are passed.
Where in the menus do I create roles and rules?
- From the Modeling tab, select Manage Roles.
- From the Manage roles window, select Create.
How do I assign users to roles?
In Power BI Service. Open the workspace where you saved your report in the Power BI service and do the following steps:
- In the Power BI service, select the More options menu for a semantic model. This menu appears when you hover on a semantic model name, whether you select it from the navigation menu or the workspace page.
- Select Security. This takes you to the Role-Level Security page where you add members to a role you created in Power BI Desktop.