Solved: Is Row-Level Security in Power PBI Embedded Really...

PBR · ‎04-16-2020

Long Time Reader, first Time Poster,

So, imagine a Power BI Embedded App-Owns data scenario where I have a report configured for Row Level Security, and the report shows different data based on the user and role(s).

If I have a web application protected by authentication, and I request the embed token using server-side code (e.g. .Net Core), I can ensure that the returned token restricts the user to see only what he/she should be able to, because the username, roles, and datasets I send in the EffectiveIdentity are transmitted directly between my application and the Power BI service; the request for the token doesn't pass through the browser and thus can't be modified by the end-user.

However, in a completely client-side JavaScript scenario, is Row Level Security really achievable? If I am a bad actor, I can just use Chrome developer tools (or Fiddler, or whatever) to override the username, roles, etc. in the 'identities' object and put whatever I want in there before the script makes the POST to the Power BI service. Am I missing something, or is the RLS in a client-side-only Power BI scenario not really "secure"?

Thanks!

MattCalderwood · ‎04-22-2020

Hi @PBR

I have just gone through this same scenario whilst migrating an embedded solution from asp.net core MVC - over to React JS.

In the App owns data flow, you are right with the fact that 'spoofing' an account/user becomes much easier.

Because of this, I came to the conclusion that creating an API to deal with the creation of tokens/report configuration was the only route forward. My server-side API now validates permissions based on OAuth tokens - and creates an appropriate embed token.

It's frustrating to need an additional server side component - but where security is concerned, it is worth it.

Hope this helps.

View solution in original post

MattCalderwood · ‎04-22-2020

Hi @PBR

I have just gone through this same scenario whilst migrating an embedded solution from asp.net core MVC - over to React JS.

In the App owns data flow, you are right with the fact that 'spoofing' an account/user becomes much easier.

Because of this, I came to the conclusion that creating an API to deal with the creation of tokens/report configuration was the only route forward. My server-side API now validates permissions based on OAuth tokens - and creates an appropriate embed token.

It's frustrating to need an additional server side component - but where security is concerned, it is worth it.

Hope this helps.

tupadhyay · ‎05-24-2020

@MattCalderwood In APP own data flow, wouldn't be good idea to create ServicePrincipal (https://docs.microsoft.com/en-us/power-bi/developer/embedded/embed-service-principal) and keep user/account details on your server and generate token using API call. This API call would be Server-to-Server (your server to powerbi service).

My major concern is when we pass Embed Token to client space, any one can use it. It would be easy to user PowerBi Embed Playground to query different data.

In your replay, you mentioned Your server side API validates permission based on OAuth token and creates an appropriate embed token.

Are you creating multiple accounts or it would be single user account on PowerBi that has an access to Report Workspace and you use those credentials to Generate Embed Token.

MattCalderwood · ‎06-16-2020

Hi @tupadhyay

Sorry for the slow reply - the last few weeks have been a bit tricky for me, and I wasn't able to reply any sooner.

Regarding your OAuth question.
The applications I have written in the past have used OAuth as an authentication layer to the application itself. So, this is completely independent of Power BI/Azure etc... So the generation of a Power BI token is completely dependent on the request coming from a user who is already authenticated by another mechanism. You are correct in saying that the Power BI token generation is a server-to-server process.

In terms of keeping power BI tokens safe client side once generated - you have to rely on the outer layer of security for your app. And yes... an end user could (in theory) take the details of the token, report embed URL etc... and put the details into a site like the Embedded Playground - and render your reports.

This is where Row Level Security (defined in your data model - and associated with the token) comes into play.
You should design any RLS rules to ensure that a user cannot bypass by manipulating a slicer in your application.

Embedding tokens also allow you to set read/write access levels - that will stop any end user enabling edit features too. Stopping them from accessing fields/values that would otherwise be hidden from view.

Hope this helps if you are still stuck.

nandukrishnavs · ‎04-18-2020

@PBR - I think if your token type is AAD, then Power BI will handle the RLS part.
If you are embedding the report using the master account, you have to use .net core to pass the user role.

Reference links:

Did I answer your question? Mark my post as a solution!
Appreciate with a kudos 🙂

Regards,
Nandu Krishna

Is Row-Level Security in Power PBI Embedded Really "Secure" in a Purely Client-Side Application?

Helpful resources

Fabric certifications survey

Power BI Monthly Update - April 2024

Fabric Community Update - April 2024