The Power BI Lock
02-04-2018 02:35 AM - last edited 02-05-2018 03:19 AM
02-04-2018 02:35 AM - edited 02-05-2018 03:19 AM
I've been thinking for some time about the Power BI Publish to Web feature, but not being safe to keep your data there as the content will be public for someone who accidentally finds out the link. I have built a new feature called the Power BI Lock to allow safer publishing to the web (only being able to view the actual report if holding a specific code). Try out the live demo.
What is needed to build the Power BI Lock?
One Access check frontpage with any number of slicers, having as many possible selections as you want (the more, the less likely someone accidentally finds out the correct key), from which the final Key value will be combined with:
SELECTEDVALUE(Code1[Code1]) & SELECTEDVALUE(Code2[Code2])
One table called Key_Control with a row having the correct Code (Access_Key_Valid). In this case, to make the link even lighter, we have a 2nd column called Access with just a 1. This Access will be linked to the remaining of the data model. I have also added here the image of the unlocked lock.
Two measures in the same Key_Control table: One Access_Key_Selection measure, which will validate if the combination from the N slicers matches your Access_Key_Valid
Access_Key_Selection = IF( FIRSTNONBLANK(Key_Control[Access_Key_Valid];Key_Control[Access_Key_Valid]) = SELECTEDVALUE(Code1[Code1]) & SELECTEDVALUE(Code2[Code2]); FIRSTNONBLANK(Key_Control[Access_Key_Valid];Key_Control[Access_Key_Valid]); BLANK() )
One info measure, which will show a message according to the code combination:
Info = if( SELECTEDVALUE(Code1[Code1]) = blank(); "Select the correct combination to have access to the Report"; if( SELECTEDVALUE(Code2[Code2]) = blank(); "Select the correct combination to have access to the Report"; if( CONCATENATE(SELECTEDVALUE(Code1[Code1]);SELECTEDVALUE(Code2[Code2]))="B202"; "Unlocked! Right click the code and drill through Report to proceed!"; "Wrong Code! Try again!" )))
Adding the Access_Key_Valid as a Drillthrough filter on the hidden report page
The Lock / Unlocked effect is done by placing the locked image underneath the unlocked image and access code in the shape of a matrix visual (to allow the drill through ability)
Future work: I am thinking about building a version with only one keypad for typing the complete code, and also using other options for the link between the pages like bookmarks, not sure if possible though. Do you have specific cases or applications where this can be useful? Do you have other ideas to reach the same result?
@ 2018 by Pedro Reis
02-16-2018 03:31 AM - edited 02-16-2018 03:38 AM
This is a creative idea and could be a fun way to "lock down" a report with public data. While it might stop the majority of people from accessing the publish to web content, readers should be aware that it's not truly secure. The access key appears in a few places behind the scenes if you know where to look (and not simply because it's in the visual textbox). Only use Publish to Web with PUBLIC data.
02-18-2018 12:20 PM
Indeed, I had already tested with some of my security colleagues, and the Key appears in the HMTL properties if it is selected.
In this POC example you actually know the key and hence when selected you can identify the property that contains it, but otherwise, I have tested it and it will not show up because it depends on the underlying context of a measure.
Not knowing the key you can test all the keys via brute force and it will show a different property once the correct combination is selected. But is it manageable to brute force attack if I setup 3 slicers with 1 million combinations of 3 slicers each?
What I am curious to know is if the Power BI server allow such brute force attacks or are they cut out after a few attempts?