Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 9 Next »

Security

Managed Roles

To define security roles, you can do the following.

  1. Import data into your Power BI Desktop report, or configure a DirectQuery connection.

    Note:

    You cannot define roles within Power BI Desktop for Analysis Services live connections. You will need to do that within the Analysis Services model.

  2. Select the Modeling tab.

  3. Select Manage Roles.

  4. Select Create.

  5. Provide a name for the role.

  6. Select the table that you want to apply a DAX rule.

  7. Enter the DAX expressions. This expression should return a true or false. For example: [Entity ID] = “Value”.

    Note:

    You can use username() within this expression. Be aware that username() will have the format of DOMAIN\username within Power BI Desktop. Within the Power BI service, it will be in the format of the user's UPN. Alternatively, you can use userprincipalname() which will always return the user in the format of their user principal name.

  8. After you have created the DAX expression, you can select the check above the expression box to validate the expression.

  9. Select Save.

You cannot assign users to a role within Power BI Desktop. This is done within the Power BI service. You can enable dynamic security within Power BI Desktop by making use of the username() or userprincipalname() DAX functions and having the proper relationships configured.

 

RLS has changed several times with each new update so this can change soon.

RLS (Row Level Security)

Based on testing and review, RLS still needs to be worked through in greater details. I have added links to better help with future build and testing of RLS.

• With PowerBI: https://powerbi.microsoft.com/en-us/documentation/powerbi-admin-rls/
• With PowerBI Desktop: https://powerbi.microsoft.com/en-us/documentation/powerbi-desktop-rls/
• With Analysis Services: https://powerbi.microsoft.com/en-us/documentation/powerbi-desktop-tutorial-row-level-security-onprem-ssas-tabular/
• With PowerBI Embedded: https://docs.microsoft.com/en-us/azure/power-bi-embedded/power-bi-embedded-rls

 

 

Content Pack Security

The life cycle of an organizational content pack

Any Power BI Pro user can create, publish, and access organizational content packs. Only the content pack creator can modify the workbook and dataset, schedule refresh, and delete it.

The lifecycle looks something like this:

1.In Power BI Pro, Nate creates a content pack and publishes it to the Marketing distribution group. The refresh settings are inherited with the dataset and can only be changed by Nate.

2.Nate sends mail to the distribution group, telling them about the new content pack.

3.In Power BI Pro, Jane, a member of the Marketing distribution group, searches for and connects to this content pack in AppSource. She now has a read-only copy. She knows it's read-only because in the left Navigation Pane, there is a sharing icon to the left of the dashboard name and report name. And when she selects the dashboard, a lock icon lets Jane know she is looking at a content pack dashboard.

4.Say she decides to customize it. She now has her own copy of the dashboard and reports. Her work does not affect the source, the original content pack, or other distribution group members. She is now working on her own copy of the dashboard and report.

5.Nate makes updates to the dashboard and when it's ready, he publishes a new version of the content pack.

   •Julio, another distribution group member, didn't customize the original content pack. The new changes are automatically applied to his version of the content pack.

   •Jane did customize the content pack. She receives a notification that there's a new version. She can go to AppSource and get the updated content pack without losing her personalized version. She'll now have two versions: her personalized version and the updated content pack.

6.Say Nate changes the security settings. Julio and Jane no longer have access to the content. Or say they're removed from the Marketing distribution group.

   • Julio didn't customize the original content pack, so the content is automatically removed.

   • Jane did customize the content pack. The next time she opens the dashboard all tiles from the original content pack are gone, but tiles she pinned from other reports (that she still has permission to use) still appear. The associated reports and dataset are no longer available (and don't appear in her left navigation pane).

7.Or Nate deletes the content pack.

   • Julio didn't customize the original content pack, so the content is automatically removed.

   • Jane did customize the content pack. The next time she opens the dashboard all tiles from the original content pack are gone, but tiles she pinned from other reports still appear. The associated reports and dataset are no longer available (and don't appear in her left navigation pane).

Data security

All distribution group members have the same permissions to the data as the content pack creator. The one exception to this is SQL Server Analysis Services (SSAS) on-premises tabular datasets. Because the reports and dashboards are connecting live to the on-premises SSAS model, the credentials of each individual distribution group member are used to determine the data he or she can access.

Creating Content Packs

In the Power BI service, go to Get Data > Samples > Opportunity Analysis Sample > Connect to get your own copy.

1.In the left navigation pane, select the Opportunity Analysis Sample dashboard.

2.From the top navigation bar, select the cog icon  > Create content pack.
 

3.In the Create Content Pack window, enter the following information.

Keep in mind that your organization's content pack library could end up with hundreds of content packs published for the organization or for groups. Take time to give your content pack a meaningful name, to add a good description, and to select the right audience. Use words that will make your content pack easy to find via search.

a. Select Specific Groups and enter the full email addresses for individuals, Office 365 groups, distribution groups, or security groups. For example:
salesmgrs@usf.edu; sales@usf.edu

For this tutorial, try using your own or your group's email address.
b. Name the content pack Sales Opportunities.
Tip: Consider including the name of the dashboard in the name of the content pack. That way, your colleagues will find the dashboard more easily after they connect to your content pack.
c. Recommended: Add a description. This helps coworkers more easily find the content packs that they need. Besides a description, add keywords your coworkers might use to search for this content pack. Include contact information in case your coworkers have a question or need help.
d. Upload an image or logo to make it easier for group members to find the content pack — it's faster to scan for an image than it is to find text. We used an image of the Opportunity Count 100% column chart tile in the screen shot below.
e. Select the Opportunity Analysis Sample dashboard to add it to the content pack. Power BI automatically adds the associated report and dataset. You can add others, if you want.

Note: Only the dashboards, reports, datasets, and workbooks that you can edit are listed. Thus, any that were shared with you aren't in the list.


f. If you have Excel workbooks, you see them under Reports, with an Excel icon. You can add them to the content pack, too.

Note: If members of the group can't view the Excel workbook, you may need to share the workbook with them in OneDrive for Business.

4.Select Publish to add the content pack to the group's organizational content pack library.
You see a success message when it publishes successfully.

5.When members of your group go to Get Data > My Organization, they tap in the search box and type "Sales Opportunities".


6.They see your content pack.
 
Tip: The URL displayed in your browser is an unique address for this content pack. Want to tell your coworkers about this new content pack? Paste the URL into an email.


7.They select Connect, and now they can view and work with your content pack.


 Creating APP for Shared Content Security

App workspaces

App workspaces are the places where you create apps, so to create an app, you first need to create the app workspace. If you’ve ever worked in a group workspace in Power BI, then app workspaces will be familiar. They’re the evolution of group workspaces – staging areas and containers for the content in the app.

You can add colleagues to these workspaces as members or admins. All app workspace members and admins need Power BI Pro licenses. In the workspace you can all collaborate on dashboards, reports, and other articles that you plan to distribute to a wider audience, or even your entire organization.

When the content is ready, you distribute the app. You can send a direct link to that wider audience, or they can find your app from the Apps tab by going to Download and explore more apps from AppSource. Those people can’t modify the contents of the app, but they can interact with it either in the Power BI service, or one of the mobile apps -– filtering, highlighting, and sorting the data themselves.

How are app workspaces different from group workspaces?

All existing group workspaces can serve as app workspaces, and you can publish apps from any of these workspaces. Here’s one way app workspaces and group workspaces are different: You create an app workspace as a place to create and house a specific app. There’s a one-to-one relationship between the app and contents of the app workspace. Everything in the app workspace will be in the app when you distribute it.

 

Now that you understand apps and app workspaces, let's start creating and publishing an app.

Create an app workspace

1.Start by creating the workspace. Select Workspaces > Create app workspace.

Create app workspace

 

This will be the place to put content that you and your colleagues collaborate on.

2.Give the workspace a name. If the corresponding Workspace ID isn't available, edit it to come up with a unique ID.

This will be the name of the app, too.

 

3.You have a few options to set. If you choose Public, anyone in your organization can see what’s in the workspace. Private, on the other hand, means only members of the workspace can see its contents.

 

Note:

  You can't change the Public/Private setting after you've created the group.

4.You can also choose if members can edit or have view-only access

 

Tip:

  If you're adding someone to the app workspace, it should be so they can edit the content. If they're only going to view the content, don't add them to the workspace. You can include them when you publish the app.

5.Add email addresses of people you want to have access to the workspace, and select Add. You can’t add group aliases, just individuals.

6.Decide whether each person is a member or an admin.

 

Admins can edit the workspace itself, including adding other members. Members can edit the content in the workspace, unless they have view-only access. Both can publish the app.

7.Select Save.

Power BI creates the workspace and opens it. It appears in the list of workspaces you’re a member of. Because you’re an admin, you can select the ellipsis (…) to go back and make changes to it, adding new members or changing their permissions.

It’s empty, so now you add content to it. Adding content is just like adding content to your My Workspace, except the other people in the workspace can see and work on it, too. A big difference is that when you get done, you can distribute the content as an app. While in the app workspace, you can upload or connect to files, or connect to third-party services, just as you would in your own My Workspace. For example:

•Connect to services such as Microsoft Dynamics CRM, Salesforce, or Google Analytics.

•Get data from files such as Excel, CSV, or Power BI Desktop (PBIX) files.

Add an image to your app (optional)

By default, Power BI creates a little colored circle for your app, with the app's initials. But maybe you want to customize it with an image.

Note:

To add an image to an app, you need an Exchange Online license.

1.Select Workspaces, select the ellipsis (...) next to the name of the workspace, then Members.

The Office 365 Outlook account for the workspace opens in a new browser window.

2.When you hover over the colored circle in the upper left, it turns into a pencil icon. Select it.

3.Select the pencil icon again, and find the image you want to use.

4.Select Save.

The image replaces the colored circle in the Office 365 Outlook window.

In a few minutes, it will appear in the app in Power BI, too.

Distribute an app

When you’ve finished creating and perfecting the dashboards and reports in your app workspace, you package it all up as an app and distribute it.

1.In the workspace, select the Publish app button in the upper right to start the process of sharing all the content in that workspace.

2.First, on Details, fill in the description to help people find the app. You can set a background color to personalize it.

3.Next, on Content, you see the content that’s going to be published as part of the app – everything that’s in that workspace. You can also set the landing page – the dashboard or report people will see first when they go to your app. You can choose None. Then they’ll land on a list of all the content in the app.

4.Last, on Access, decide who has access to the app: either everyone in your organization, or specific people or email distribution lists.

5.When you select Finish, you see a message confirming it’s ready to publish.

6.In the success dialog box, you can copy the URL that’s a direct link to this app and send it to the people you’ve shared it with.

The business users that you've distributed the app to can find it in two different ways. You can send them the direct link to the app, or they can search for it in Microsoft AppSource, where they see all the apps that they can access. Either way, after that whenever they go to Apps, they’ll see this app in their list.

 

Change your published app

After you publish your app, you may want to change or update it. You notice that when you open your app from Apps, even though you’re the one who published it, you can’t edit it – Edit Report is grayed out.

But it’s easy to update it if you’re an admin or member of the app workspace.

1.Open the app workspace that corresponds to the app.

2.Open the dashboard or the report. You see that you can make any changes you want.

Note:

 The app workspace is your staging area, so your changes aren't pushed live to the app until you publish again. This lets you make changes without affecting the published apps.

3.Go back to the app workspace list of contents and select Update app.

4.Update Details, Content, and Access, if you need to, then select Update app.

The people you’ve distributed the app to automatically see the updated version of the app.

Unpublish an app

Any member of an app workspace can unpublish the app.

•In an app workspace, select the ellipsis (...) in the upper-right corner > Unpublish app.

This action uninstalls the app for everyone you've distributed it to, and they no longer have access to it. It doesn't delete the app workspace or its contents.

Power BI apps FAQ

How are app workspaces different from group workspaces?

With this release, we have renamed all group workspaces to app workspaces. You can publish an app from any of these workspaces. The functionality remains on par with group workspaces for the most part. Over the next few months, we plan on the following enhancements to app workspaces:

•Creating app workspaces won't create corresponding entities in Office 365 like group workspaces do. So you can create any number of app workspaces without worrying about different Office 365 groups being created behind the scenes (you can still use an Office 365 group’s OneDrive for Business to store your files).

•Today you can add only individuals to the members and admin lists. Soon you'll be able to add multiple AD security groups or modern groups to these lists to allow for easier management.

How are apps different from organizational content packs?

Apps are an evolution and simplification of content packs, with a few major differences.

•After business users install a content pack, it loses its grouped identity: it's just a list of dashboards and reports interspersed with other dashboards and reports. Apps, on the other hand, maintain their grouping and identity even after installation. This makes it easy for business users to continue to navigate to them over time.

•You can create multiple content packs from any workspace, but an app has a 1:1 relationship with its workspace. We believe this makes apps easier to understand and maintain over the long run. See the roadmap section of the Power BI blog for more on how we plan to improve this area.

•Over time we plan to deprecate organizational content packs, so we recommend you create apps from now on.

What about read-only members in groups?

In groups, you can add read-only members who can only view the content. The main problem with this approach was that you couldn't add security groups as members. With apps, you can publish a read-only version of your app workspace to large audiences, including security groups. You can stage your changes to the dashboards and reports in the app without affecting end users. We recommend that you use apps in this way in the future. Over the long run, we plan to deprecate read-only members of workspaces as well.

 

 

  • No labels