Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Register now to learn Fabric in free live sessions led by the best Microsoft experts. From Apr 16 to May 9, in English and Spanish.

Reply
qp_andy
Frequent Visitor

Security

‎11-21-2019 10:46 AM
Scenario: User has a desktop pro licence at Organisation A, as well as a personal O365 business subscription with Power BI.

Question: What security controls exist to stop that user publishing content from Organisation A into their own workspace on their own subscription?
Labels:
Message 1 of 7
721 Views
6 REPLIES 6
v-joesh-msft
Solution Sage
Solution Sage

‎11-22-2019 01:00 AM

Hi @qp_andy ,

I'm a little confused by your description. Do you mean to restrict user A's permission to create reports in the workspace? If so, click Access in the workspace to set the user role to Viewer. Roles let you manage who can do what in a workspace, so teams can collaborate. New workspaces allow you to assign roles to individuals, and to user groups: security groups, Office 365 groups, and distribution lists. For more information, please refer to the documentation: 

Organize work in the new workspaces in Power BI

21.PNG22.PNG

Best Regards,

Community Support Team _ Joey
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

 
Message 2 of 7
647 Views
0
qp_andy
Frequent Visitor
In response to v-joesh-msft

‎11-22-2019 01:46 AM

Let me try and make it clearer. There is one user (lets called him Dean) who has his own small IT company (Company A). Company A has an O365 Business subscription, and Dean is the admin and only user (Dean@CompanyA.com). He has a Power BI free user licence on this account so can create in Desktop and publish to his own workspace on PBI service.

 

Company B hires Dean to work on a Power BI project. Company B creates an AAD user account for Dean (Dean@companyB.com) so he can work on their network, and grants a PBI desktop pro licence with his Company B credentials. Dean creates and publishes content using his Dean@companyB.com credentials. All good.

 

BUT....

 

What is stopping Dean logging in to Company B's network (Dean@companyB.com), creating content in PBI Desktop using Company B's data, then logging into the PBI service using his Dean@CompanyA.com account and publishing that content to the Comany A workspace?

Message 3 of 7
639 Views
0
v-joesh-msft
Solution Sage
Solution Sage
In response to qp_andy

‎11-25-2019 02:26 AM

Hi @qp_andy ,

Power bi cannot limit which account the user uses to publish the report. If you want users to be unable to see content including data and reports on other networks, you can use DirectQuery or Live connection mode to connect to data or connect to a data source such as DataFlow.

Best Regards,

Community Support Team _ Joey
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

Message 4 of 7
583 Views
0
qp_andy
Frequent Visitor
In response to v-joesh-msft

‎11-30-2019 03:04 AM
Seems a major flaw that there is no way to limit the domains/accounts being published to in power bi service, based on the windows account the publisher is logged into? Yes it will all be logged retrospectively, but by then it’s too late....
Message 5 of 7
569 Views
0
d_gosbell
Super User
Super User
In response to qp_andy

‎12-03-2019 04:51 PM

But this flaw is not specific to Power BI, there is also nothing stopping "dean" from downloading company B's data to csv files and then copying them to a usb drive or uploading them to dropbox, google drive or any of the cloud base file services. 

Message 6 of 7
538 Views
0
qp_andy
Frequent Visitor
In response to d_gosbell

‎12-04-2019 02:28 AM

Hi @d_gosbell 

 

Thanks but that's a subtly different point - there could be endpoint security on the device to lock down all of the ports for example.

 

My main point is there should be a control available to admins that they can set, that compares the domain someone is publishing from, to the domain they are publishing to, and allow/disallow publishing based on the rules set. Unless I'm missing something, this doesn't exist.

 

 

 

Message 7 of 7
525 Views
0

Helpful resources

Announcements
Microsoft Fabric Learn Together

Microsoft Fabric Learn Together

Covering the world! 9:00-10:30 AM Sydney, 4:00-5:30 PM CET (Paris/Berlin), 7:00-8:30 PM Mexico City

PBI_APRIL_CAROUSEL1

Power BI Monthly Update - April 2024

Check out the April 2024 Power BI update to learn about new features.

April Fabric Community Update

Fabric Community Update - April 2024

Find out what's new and trending in the Fabric Community.

View All